Security Firms Bust Malware-for-Sale Racketeers

Panda said it intercepted information pinched by the malware , including "hundreds of user names and passwords for banks, telecommunication companies, hotels, airlines and international betting services.

Business Model for Crime

"From the FTP logs that we were able to see, which is where information from infected PCs came streaming in, many, many thousands of PCs were infected," Panda Chief Technology Officer Patrick Hinojosa told TechNewsWorld.

However, another security firm, Islandia, N.Y.-based eTrust Security Management, discounted the breadth of the threat. "We have several samples of the Trojan, but we haven't seen a particularly unusual outbreak, and we haven't seen an unusual level of danger," Sam Curry, vice president for product management, told TechNewsWorld.

The distribution of the malware was being handled like a business , Hinojosa noted. The basic Trojan was being sold for US$990. Then additional modules could be purchased for tasks such as hacking servers to retrieve stolen password information and compromising FTP sites to store the ill-gotten gains.

Paradigm Shift

Panda and RSA were able to shut down some malignant servers, Hinojosa said, and have turned over the findings of their forensic investigation to law enforcement authorities in Russia and Eastern Europe. No arrests have been made in the case as yet.

"It was a whole business model centered around selling this type of software to criminals. The malicious software was created and sold to criminal organizations so they can steal data," Hinojosa explained.

"It's a lot different from the old days of the virus writer wars of who can gain the most notoriety," he added. "Briz.A is a whole paradigm shift in criminal activity on the Web."

Popularized by Sony

What makes this Trojan particularly pernicious is its use of rootkit technology. "It uses rootkit technology to inject these processes into a system so they stay hidden, and it's almost impossible by using standard methods to clean off a system," Hinojosa said. "It's a piece of software designed to maximize ROI for the criminal."

Stealth, not notoriety, is the main selling point for this kind of software , he explained. "The people buying it want it to remain running undetected because they're making money off the captured data."

Rootkits were a relatively esoteric technique to hide malware until one large entertainment company created a hornet's nest of controversy by using one in its digital rights management scheme, according to David M. Perry, global director of education for TrendMicro, an antivirus software maker in Cupertino, Calif.

"All the publicity that Sony (NYSE: SNE) got promoted the idea of rootkits among the malware community," he told TechNewsWorld.

Romulan Stealth Drive

"We refer to a rootkit as the Romulan Stealth Drive for a virus, Trojan or worm," Perry said. "What the rootkit does is, it makes it almost impossible to detect itself and the malware that it's protecting."

What makes rootkits so difficult to detect is that they control fundamental tasks performed by a computer's operating system.

Whenever an antivirus program is ready to scan a file with a rootkit in it, the rootkit, which has control of the system, instructs the program to skip the file or tells the scanner it's something it's not -- like Windows notepad, TrendMicro Senior Anti-Virus Researcher Bruce Hughes explained to TechNewsWorld.

"Rootkits are going to be the leading kind of malware by about September," Perry predicted.