Hackers Offer Subscription, Support for Malware

Stony Stevenson writes "Organised gangs are taking a page out of security vendors' books and setting up their own websites that offer support and subscriptions for malware and spyware. From the article: 'For subscriptions starting as low as $20 per month, enterprises can sell fully managed exploit engines that spyware distributors and spammers can use to infiltrate systems worldwide, said Gunter Ollmann, director of security strategies at IBM's ISS X-Force team. Many exploit providers simply wait for Microsoft's monthly patches, which they then reverse engineer to develop new exploit code against the disclosed vulnerabilities, Ollmann said. "Then all you've got to do is just subscribe to them on a monthly basis.'"

Title somewhat misleading

[robinsonne]

When I first read the title, I thought it meant that hackers were now selling "protection" from malware in much the same way organized gangs have sold "protection" in the past. Perhaps a better title would be "Hackers organize, sell exploits as business"

Sounds like a trap to me

[Anonymous Coward]

Erm, if you're daft enough to sign up and give them your credit card details directly, doesn't that mean they no longer need bother writing the malware?

Putting the "organized" in "organized crime"

[Kelson]

When I saw the summary, I was half-certain it had to be a delayed April 1 submission. Then I looked at the article. And thought about it.

It actually fits a pattern we've seen with viruses, trojans, spyware, other malware, cracking, even spam. They've gone from small shops, often one programmer trying to make a name for himself, to full-on organized crime using businesslike structures and tactics.

How long?

[Anonymous Coward]

How long will these hackers be trusted by their colleagues? Eventually; the groups selling the subscription will be booted from the underground / aka no longer be trusted. Keep in mind: how do you know what they are selling is going to be accurate?

Just my .02 cents worth.

I am shocked! Shocked I say!

[symbolset]

erm, ok, maybe not. Anybody whose job it is to track such things who thinks this is news, well, they're not doing their homework.

The exploit ecosystem has evolved an organism that appears to be self-aware.

If only there were an environment that was safe from such evil organisms, where they could not thrive...

Re:Automatic updates

[qwijibo]

They can make even more money offerring several consecutive levels of patches and exploits. There will always be someone willing to pay for the level of protection or exploit beyond what's commonly available for the low monthly maintenance fee.

People just don't seem to get it

[cdrguru]

Wow, wouldn't it be wonderful if Microsoft finally got it and made Windows really secure?

No, it wouldn't It wouldn't sell, nobody would use it and it would be a complete flop.

Windows is designed to be usable by people without one little bit of computer knowledge. It therefore does things "for you" in the background that can be good and helpful. If they are subverted, they are bad and insecure. Take all of this away and leave just the command line and Windows would be much more secure, but it would be unusable by most people.

If it is programmable and the programming can be added to or modified in the field, it needs controls on who can modify that programming. If the inexperienced user can, it isn't secure. Period. When users run programs to install games they purchased they are using the same resources as when the click on an email attachment to install some bit of malware. They have no way of knowing the difference and it would seem no amount of education is going to fix that problem.

What most people need is a locked-down appliance that cannot be modified in the field without extraordinary effort. And certainly cannot be modified over the Internet. This could be user friendly and secure, but you wouldn't install software on it, ever.

Windows is trying to be user friendly and general-purpose. This has no choice but to fail to be very secure. The user cannot tell the difference between a program that is from Microsoft that is something they want and a program from microSoft that isn't something they want at all. Or from MircoSoft. Or really, anyone else at all. Sure, you can try to give them a chance to tell the difference - and Vista does try - but it isn't going to work. People gave up reading messages from computers and just click OK beginning in 1979 with CP/M and they aren't about to change now.

I contend that there is no material difference between the security present on a Macintosh or Linux and Windows in the hands of a user that doesn't understand how the system works. If they get an email that says to run some program, they are going to run it if they want what the email says they are going to get. If this requires using sudo to get root authority, they will do so if they have the ability to do it.

So how do you have security in that environment? You don't. You can't ever be secure against the naive user in charge of their own computer.