Despite the dubious success of botnets such as Zeus, which has infected thousands of machines around the world, the authors of malware apparently have plenty of business issues to worry about to earn a dishonest crust.
Zeus, described as the world's largest botnet, delivers a banking Trojan that sends data back to those in control of the network. Like other cybercriminals, the creators of Zeus have taken several leaves from the book of legitimate commercial software, including the concept of offering customers their malware in convenient modules.
ZDNet UK talks to Jon Ramsey, chief technology officer at managed security services firm SecureWorks, about the business models that the authors of the malware industry are adopting.
Q: Is there really a shadow criminal IT industry that mirrors the legitimate commercial world?
A: If you look across the whole supply chain for criminality, there is a service provider for everything you would need today. The impact of that is to reduce the barrier to entry. So if someone wants to get into cybercrime, it's very easy.
You can just go and buy a whole bunch of services instead of building a whole bunch of services, whether it's a cash-out service, a laundering service, a malware service or bulletproof hosting.
What are the typical business models that criminals use?
The botnet and the malware authors have three models. They either develop malware and put it to their own use, or they develop the malware and sell it for other people to use. More recently, they have been using a pay-per-install model. The pay-per-install model is sort of a channel or VAR reseller model for the malware they develop.
For example, in the context of the Zeus botnet, it turns out that its authors develop it and then sell it for other people to use at good dollar amounts for a pretty good profit. Then the people using the Zeus malware often have a business model of stealing the identities and doing automated clearing house (ACH) fraud to profit from it.
Then the pay-per-install model is a borrowing from the legitimate commercial world?
Zeus is a direct-sell model [not pay-per-install]. The authors sell it to criminals to go off and use. The interesting thing about Zeus is what you purchase from the author is a kit and the kit costs anywhere from $3,000 (£2,000) to $4,000. And there are individual features or functions that you can get as part of that kit.
So, for example, you can get the back-connect module for $1,500, which allows someone to submit a web request through a machine that is compromised with Zeus. Probably the most expensive module with Zeus now is the virtual network computing (VNC) module, which is about $10,000 and allows someone to take full control of a machine that Zeus has compromised.
When you buy the kit from the author, the author gets a hardware ID from you and puts it in the kit, so that you only run that kit on the one machine that you have effectively a licence for.
So is it a form of digital rights management for criminals?
That's exactly right. Because what used to happen is that someone would buy the kit and then sell it on at half the price. Now because the kit is specific to a machine someone can't sell it on.
If they are mimicking legitimate commercial IT industry business approaches, such as licensing, does that make them more likely to be identified?
Not necessarily. But the thing about being a criminal who sells a piece of malware, you need to market yourself and you need to have a reputation.
If you are going to buy Zeus, and it's going to cost anywhere from $3,000 to $15,000, you're just not going to spend that kind of money with someone you don't know, especially as what you do know is that they are a criminal who you can't trust.
So what we see is criminals doing marketing and building up reputations, because it's a business. Just as on the legitimate side, you need to have a brand name and a market and a reputation. It's the same thing on the malicious side when you're in the business of selling software.
That [need to market themselves] is how we track groups and how we put pieces of the puzzle together around criminals. They come up with a name or a name of the group and they market themselves, and that's effectively how we track them.
How do they market themselves?
Usually through websites. Earnings4u.com is a popular pay-per-install website and they use other means, through word of mouth, through referrals and references.
These are essentially endorsements by satisfied criminal customers?
Yes. It's reference-based selling in many contexts. Another site, dogmamillions.com, uses a pay-per-install reseller model, and to be a member of the site you have to...