I have been spending a lot of time recently exploring the criminal underworld. The shadow internet economy is a $105 billion business and involves tens of thousands of participants – a market even bigger than the global drug trade.
As senior architect and chief malware researcher at messaging and web security provider, MessageLabs, I am on the front lines of the internet daily, exploring and infiltrating the very websites and chat rooms that the bad guys are using to assemble their next attack.
Speaking Russian fluently, I am able to understand more of the websites, chat forums and exchanges that are very active in online crime. What I have discovered is disturbing. The shadow economy is more specialized and sophisticated than we ever believed possible. Online criminals boast of making $10,000 a day and there is little chance of ever being caught. The shadow economy operates similarly to the global economy with price competition, division of labor, specialized trade and marketing.
The crime starts with the malware author who creates a new virus, Trojan or spyware to infect a computer. These authors market their software in the hopes that a middleman will buy it. Off-the-shelf malware sells for about $250, and $25 per month gets a subscription to updates that will ensure the program evades detection. The middleman uses a botnet to spread their newly purchased malware, using its massive computing power for widespread spamming. As innocent, unassuming computer owners begin to respond, the middleman collects stolen credit card numbers with complete identities which he can sell for around 3 percent of the remaining card balance.
Some middlemen make a business out of laundering stolen credit cards, using a drop service to receive the goods purchased with a stolen credit card. An elaborate system of guarantors and escrow accounts has also emerged to regulate transactions in the underground. This proves that the market is growing more and more sophisticated and is driven by economics and the participants who value their long-term reputation in the shadow economy.
It is clear that the front runners in the shadow economy are constantly working to improve the quality of the products that they sell, testing them against anti-virus mechanisms to guarantee their products are effective. Every time a vendor updates its anti-virus product, the malware author creates a new version. In fact, malware authors can produce new malware as fast as every 45 seconds to keep it undetected.
For those of us in malware detection, this means that there is no end to malware in sight. Heuristic detection is the only surefire way to prevent the bad guys from propagating more malware.