Malware off the shelf, malware as a service
The BBC recently had an article on how malware off the shelf makes hacking easy for the novices.
Whether you’re looking for a complete product with 12 months technical support or just a component, it’s out there for sale.
The market resembles that for “normal” software. Hacking groups operate volume pricing schemes and discounts for loyal customers. Market economics also apply with the sheer number of tools for sale driving down prices. In turn, this drives the hackers to specialise, offer custom coding, and boutique attacks.
Along the same lines, security guru Peter Gutmann gives a great presentation called The Commercial Malware Industry (pdf, 670 KB). In it he describes how the malware industry today is at a “serious money can buy serious expertise” stage. Spam vendors are now employing professional linguists and phishers are using psychology graduates to scam victims.
Zero day exploits are now bought and sold online. A sophisticated affiliate model operates. Malware is available as a service with video tutorials, try-before-you-buy, skinnable interfaces (!), and plenty of outsourcing vendors in Russia.
And just like in real life, the one who makes the most money is the middleman.
Peter’s presentation has a lot more technical details but the bottom line is chilling: the geekiest of geeks will have to go to great lengths to protect themselves; for everyone else, “put you head between your legs and…”