Once used by fringe techie groups as a way to make political statements or to exert their dominance over the “system”, malware is now used in one of the most prosaic of ways: to make money.

In a recent threat report, Symantec outlines the unsettling new trend of cybercriminals capitalizing on their technological prowess by selling attack toolkits.  These “kits” are sets of prewritten malicious code that take advantage of known vulnerabilities in software and operating systems and can be used to facilitate widespread attacks on unprotected networks (mobile phones included).  Symantec found that 61% of the web-based threat activity they observed in 2010 was directly attributed to these kits.  

Marc Fossi, Manager of Development and Security Response for Symantec, was quoted in a recent article in PC World  saying that these attack toolkits are sold much like mainstream software, only on the black market.   A common criminal with little or no technological background can purchase one of these readymade sets of destruction for between $40-$8,000 (depending on software sophistication and the level of backend support they desire), and use it to steal identities, launder money, or wreak widespread havoc.

Developers also actively advertise their products on the internet and continually innovate to make them more effective.  They provide installation and support services, an array of capabilities and options, and customers receive automatic updates so they can avoid detection.  Attack kit developers even offer a subscription-based payment plan so that long-term money making projects stay operational (according to an article published by “Government Security News” earlier this year.). 

Almost sounds like a legitimate business, doesn’t it?  And technically, it is.  According to Kevin Haley, Symantec’s Director of Security Response, it isn’t actually illegal to develop an attack toolkit.  It’s only illegal to use one to commit a crime.  So developers are free to fight over customers, fill niches, create cheap knockoffs of each other’s products, and engage in M&A activity.  Like other legitimate companies, they also fear piracy and install backdoor code to monitor their customers’ activities.  Sometimes, they even steal their customers’ stolen data. 

Two groups who call themselves Zeus and SpyEye, currently have a competing product on the market.  While the Zeus ATK allows cybercriminals to claim they are a version of legitimate software so as to convince the victim to download their software, the SpyEye version targets people who already have the malware on their PC. 

When victims visit their banking website on their mobile phone, the SpyEye Trojan prompts them to download and install their product so that it’s used for transaction authorization.  Cybercriminals then use this authorization to pilfer thousands of dollars from users’ accounts.

But who are these cyber mobsters?  Security experts say they’re industrious former and current members of well-known hacking groups who remain hidden behind opaque curtains of code.  There have been a few instances of identity divulgence, but they were the result of group infighting or punishment for potential mutiny. 

While law enforcement does its best to track and catch these criminals, security experts agree that updated anti-viral software and safe internet practices are the best way to protect yourself.