Web 2.0 Sites a Thriving Marketplace for Malware

Beyond YouTube

YouTube is a popular venue for ads from malware makers, with videos for supposedly undetectable Trojan horses, "packers" that compress and obfuscate malware payloads, and even password stealers for breaking into Steam online game accounts. (Asked about the trend, a spokesperson says that YouTube doesn't control site content, but that it will investigate if viewers report videos as inappropriate.)

Advertisements from Internet bad guys don't stop with YouTube. According to Jackson, many online thugs maintain profiles on social networking sites and blogs to keep in touch with their business partners and customers. Many bot­net controllers, who sell time on their networks of bot-infected PCs to spammers and other crooks, keep blogs on the livejournal.com site, Jackson says.

The crooks who use these profiles and blogs may not give themselves away with direct references to nefarious malware activities. But the sites provide a more distributed, harder-to-track way of keeping in touch than using one particular underground site. They may also offer a platform for spouting fascist ideology, as Jackson refers to one Russian underground figure known as 'lovinGOD,'  or some other pseudo-philosophy that ties one or more of these groups together.

And the pages advertise the bad guy's contact info--an ICQ handle, say, or some other way to get in touch about buying or selling malware.

The profiles offer "the capability of hiding in plain sight," says Tom Bowers, senior security evangelist with antivirus-maker Kaspersky Lab. Thankfully, they're not entirely hidden. Bowers says he works with law enforcement professionals, who try to track the bad guys through social networks. But the crooks are watching the cops, too.

The researchers at the SpywareGuide Greynets Blog recently discovered that malware pushers, pedophiles, and other criminals on MySpace were using a trick to track their trackers. A few lines of Javascript code inserted on a profile meant that if you happened across that page, "you [were] automatically subscribed to that person's video channel." Meaning the profile owner got "a record of every single Myspace user that has visited [his] profile page." (MySpace says it's working on closing this hole.)

Limits of the Law

All these public ads and profiles can help law enforcement glean useful data for investigations. But since selling malware isn't illegal, they're unlikely to lead directly to prosecutions.

Of course, using malware is clearly illegal. And a Department of Justice spokesperson says it could charge a virus vendor with aiding and abetting, or conspiracy to commit a crime, if it busted someone else who used that purchased malware to infect a PC. But the prosecutors would have to prove the seller intended for the code to be used in criminal dealings, instead of, say, security research, which makes it a fair bit harder. The spokesperson said she couldn't find any instances of actual prosecutions of this type in her initial search of cases.

And that's just in the United States. In many parts of the world, bringing known phishers and malware lawbreakers to justice isn't exactly a priority.

Subscribe to the Best of TechHive Newsletter

Comments