There is a lot to be worried about in this story at PCWorld.com. The most superficial news from Panda Software -- that malware is available for a price -- is disturbing enough. A bit of analysis makes the story even more depressing: The world of malware, it makes clear, has become highly commercialized and an ecosystem of sorts has sprung up around it.
In the good old days of hacking and cracking, efforts were amateurish -- hence the stereotypical ponytailed hacker working all night and existing on pizza and soda. That quaint image took root because it is reassuring. After all, how could a kid who probably had his lunch money stolen by the school bullies defeat the combined forces aligned to protect the Internet? (They often did, but that's another story.)
Now, the good guys are being confronted by someone their own size. The forces arrayed against IT department and security software vendors are formidable indeed. They include a dangerous lineup of organized criminals who don't do things for fun or to prove a point. They do things for profit, and they are deadly serious.
The gravity of the situation is driven home by a study released last week by security firm Finjan. The company says it has detected a growing number of malicious software packages -- "crimeware" -- in August. One type of crimeware -- MPack -- has infected more than 500,000 computers, according to Verisign. Other known packages include NeoPloit, IcePack, WebAttacker, AebAttacker2 and MultiExploit. New versions found by Finjan are random.js, vipcrypt, makemelaugh and dycrypt. The scariest part is that the toolkits, like legitimate software packages, are supported by reliable services such as updates that help them avoid detection.
The enfranchisement of organized crime in malware distribution is one reason that the rise in crimeware is so distressing. The other is related: The creation of these packages means that the bad guys no longer have to know anything about computers or software to make a buck. Just as anybody can pick up a shrink-wrapped antivirus program at Best Buy or download a program from the vendor, crimeware packages relieve criminals of the rather high entry requirement of having to know something about programming. That's a big deal in that it democratizes malware, for lack of a better term.
The rise in crimeware didn't start in August. SC News says that the Anti-Phishing Working Group (APWG) reported in May that there was a 7.4 percent increase in the number of crimeware-based phishing attacks over the previous high, which was in February. The piece notes that the number of crimeware attacks varies widely on a month-to-month basis.
According to Websense, the APWG defines crimeware as a "genus" of technology separate from adware, spyware and malware because it is solely intended for committing a business or financial crime. This ties in well with the organized crime angle, as does the definition later in this piece, which suggests that crimeware has the ability to target very specific bits of information for theft.
The precise definition of crimeware is important to the pros. One thing is certain for the rest of us: Crimeware is a big and threatening proplem. It's also likely that this type of attack will grow as more money is on the table, more organized groups get into the act and, perhaps most important, more dishonest people attempt to make a buck without truly learning their craft.