A security firm has uncovered an easy-to-use, affordable tool for making a variety of customized Trojans—from downloaders to password stealers—on sale at several online forums.
The tool, discovered by PandaLabs, is called Pinch, a tool that allows cybercriminals to specify what type of password they want their Trojans to steal—be it for e-mail or system tools.
Pinch also has encryption capabilities to ensure that nobody intercepts stolen data. Pinchs interface also has a SPY tab that lets criminals turn Trojans into keyloggers. In addition, the tool can design Trojans that snap screenshots from infected computers, steal browser data and look for specific files on the target system.
Pinch is impressive, but its just one sample of the array of crimeware for sale in malware markets and covered in a recent report from PandaLabs titled "The Price of Malware."
Malware has, in fact, increased 172 percent over the past years, according to the security firm. PandaLabs credits customized Trojans for the bulk of this increase, where malware is customized to infect a specific user or group of users.
PandaLabs has tracked several instances of the use of malware in the past few months: One example is a variant of the Briz Trojan, called Briz.X, that had already stolen over 14,000 users bank account information by the time it was detected.
"As occurs in legitimate businesses, this illegitimate activity has caused a very active black market," PandaLabs said in a release about the report.
That malware market can be found completely online, with most sites hosted in Eastern European countries, but a percentage found worldwide thanks to mafias that have extended their networks.
"Although it may look difficult to find Web pages where these tools are sold, it is not. All you have to do is search in browsers for forums where hacking services are rented or where Trojans are sold," said Luis Corrons, technical director for PandaLabs, in the release.
PandaLabs research shows malware selling on underground forums between $350 and $700. Trojans that install software to steal passwords to access online banks, known as snatch or Limbo Trojans, cost $500 - $600. Other malware on sale can hide Trojans, encrypt stolen data or turn infected computers into zombies for bot networks.
Prices too steep? Special deals abound. The first 100 cybercriminals to respond to one listing for a $500 Trojan that captures pay-service accounts—such as Webmoney—get 20 percent knocked off.
For the true bargain hunter, there are Trojan logs. A 50MB Trojans log, with stolen accounts, e-mail passwords, bank details and the like, can be had for as little as $30. The Trojan authors even guarantee a "profitable" data percentage.
Wondering whether purchasing malware at these prices can be profitable? PandaLabs ran a few calculations to find out. Say a cyber-crook were to purchase a Trojan for $500, a 1 million-address mailing list for about $100, a $20 encryption program, and a $500 spamming server. The total outlay would be $1,120.
Given a 10 percent success rate, which PandaLabs said is "really low," hackers could infect 100,000 people. If the criminals managed to steal bank details from 10 percent of infected systems, that means access to 10,000 bank accounts and funds therein.
"Just imagine the money a normal person could keep in the bank and multiply it by 10,000 to calculate the cybercrooks profits," said the report.
Stealth, of course, is important. Crooks tend to siphon off small amounts from cracked bank accounts as opposed to draining them completely, which would alert users.