Malware for sale

As with many just-launched e-commerce Web sites, this particular site has a fairly functional, if somewhat rudimentary, home page. A list of links points to an FAQ section, spells out terms and conditions for using the software offered on the site, and provides details about the supported forms of payment.

But contact information is sparse - probably because the merchandise advertised on the site isn't exactly legitimate. What's available there is malicious code that webmasters with criminal intent can use to infect visitors to their sites with a spyware Trojan horse.

In return for downloading the malware to their sites, Web site owners are promised at least €50 - about $66 - every Monday, with the potential to get even more money for "clean installs" of the malicious code on end-user systems. "If your traffic is good, we will change rates for you," the site promises. 'Exploit Engines' for Sale

As organised gangs of crooks increasingly turn to cybercrime, Web sites like that one are coming to represent the new face of malware development and distribution, according to security researchers. They said that unlike earlier malware writers, who tended to distribute their code to tight groups of insiders or within underground newsgroups, the new breed hawks its wares in a more professional manner.

Over the past year or so, "we've been seeing a growth of highly organised 'managed exploit providers'" in countries that don't have extradition treaties with the U.S., said Gunter Ollmann, director of security strategies at IBM's Internet Security Systems X-Force unit. For subscriptions starting as low as $20 per month, Ollmann said, such companies sell "exploit engines" that spyware distributors and spammers can use to infiltrate systems worldwide.

The available exploit code is usually encrypted, uses a range of morphing techniques to evade detection by security software and can exploit various vulnerabilities, according to Ollmann. He added that many exploit providers simply wait for Microsoft Corp.'s monthly patches, which they then reverse-engineer in an effort to create new code that can take advantage of the disclosed vulnerabilities.

Don Jackson, a security researcher at SecureWorks Inc. in Atlanta, discovered one such site in January while investigating a Trojan horse called Gozi. Jackson said Gozi was designed to steal data from encrypted Secure Sockets Layer streams and send it to a server in St. Petersburg, Russia. The program took advantage of a vulnerability in the iFrame tags of Internet Explorer and had apparently been planted on hosted Web sites, community forums, social networking sites and sites belonging to small businesses.

The server in Russia held more than 10,000 records containing confidential information belonging to about 5,200 home users, Jackson said. He added that it was maintained by a group called 76Service and contained server-side code for stealing data from systems, plus administration and data-mining interfaces.

According to Jackson, criminals looking for stolen passwords, credit card numbers and other personal information could log in, view indexed data and run queries. He said each query had a price associated with it, stated in WMZ - a form of electronic currency supported by Moscow- based WM Transfer Ltd's WebMoney online payment system.

The Gozi code itself appears to have been purchased by 76Service from a Russian hacking group called the Hang¬Up Team. Jackson said such code typically costs about $1,000 to $2,000, depending on how sophisticated it is. Often, he added, groups such as the HangUp Team also offer a detection-monitoring service through which they keep an eye on antivirus vendors so they know when security tools can detect their malware.

"We're not talking about kids doing it for kicks over the weekend anymore," said Yuval Ben-Itzhak, chief technology officer at Finjan, a San Jose-based security software vendor. "This is real cash, real money, that's involved here."