Cybercrooks duel antivirus firms--and each other

Cybercriminals are increasingly fighting each other, as well as antivirus vendors, in pursuit of illegal gain, Kaspersky Lab has warned.

The antivirus provider said Tuesday that as profits from cybercrime grew in 2005, criminals increasingly tried to prevent antivirus providers from developing protection against the latest threats. "Honeypots," or lightly protected systems set up to collect samples of malicious software for antivirus companies, were a prime target, Kaspersky said.

Criminals can use legions of compromised "zombie" computers, called "botnets," to bombard honeypot networks with data to hinder or stop them working, according to Kaspersky's "Malware Evolution: 2005, Part 2" report, published Monday.

"If the bad guys are aware of a network that looks suspicious because it's too unprotected--to lure bad code--they can take steps like launching (distributed denial-of-service) attacks against that honeypot network. They can then launch other attacks simultaneously (against other targets)," said David Emm, senior technology consultant for Kaspersky.

Worms can also be programmed to avoid domains known to be monitored by antivirus companies.

"Criminals will employ whatever evasive techniques they can," Emm said.

In 2005, cybercriminals increasingly used techniques such as creating their own packing mechanisms to compress malicious code, so that they could try to avoid detection by antivirus software. Creators of malicious software also now routinely include code that will try to either disable antivirus updating mechanisms on infected machines or remove antivirus software completely, Emm said.

Cybercriminals are also increasingly targeting one another to maximize financial gain, according to Kaspersky's research. "It's like any kind of economic venture. Those that get smarter survive. Organized criminal structures are run as businesses, and they take over smaller guys," Emm said.

Kaspersky also said that cybercriminals often launch distributed denial-of-service attacks against rivals to stop them from operating, and they attempt to hijack each other's botnets. They also program their software to attempt to disable any other malicious software that has already been installed on an infected PC.

"Criminals have realized that it is much simpler to obtain already infected resources than to maintain their own botnets or to spend money on buying parts of botnets which are already in use," Yury Mashevsky, a virus analyst at Kaspersky, said in the report.

Kaspersky also reported that it had detected a five-fold increase over 2005 in the amount of malicious software designed to steal financial information.

Tom Espiner of ZDNet UK reported from London.