Seeking Competitive Advantage, For Malware

jc_chgo writes "Brian Krebs over at the must-read KrebsOnSecurity.com writes about the rivalry between two competing authors of nasty credential-stealing malware. The newer (SpyEye) can remove the older (Zeus) on any system it infects. Meanwhile, Zeus is so successful prices have gone way up for the new version. These 'crimeware kits' are freely available for purchase, and have enabled millions of dollars in thefts. The buyers of the kits prey primarily on small businesses by using wire transfers out of bank accounts. This is a problem that is only going to get bigger over time."

Re:What...?

[Restil]

Here's the problem:

Assuming the people who wrote and sell this software reside in the US or some country which will happily extradite them for us, it's possible that what they're doing isn't technically illegal. They're not actually USING the software, just selling it. This is somewhat equivalent to someone selling lockpicks. Granted, this software probably has no legitimate purpose, except perhaps to be used for security audits or something. However, even if it IS illegal, to get the Feds involved will require an almost certain guarantee of conviction. They want a jury to be debating the length of the sentence, not whether or not the suspects are actually guilty or not. If there is enough legal doubt as to whether or not a crime was even committed, the Feds will be leery of even getting involved.

So fine, lets pass a law making the creation and/or publication of software that has mostly malicious intent. That'll be good... right? The only problem is, Congress gets to write that law. This means three things. First off, the law will likely be written in a way that is so vague that it ends up not only applying to the software in question, but half of the legitimate software ever written. Before you know it, all advertising, security software, operating systems other than windows, and of course, the ping program, will now be considered illegal.. technically. This means that the law will end up not being enforced. Next, they will be sure to word it in such a way as to render it unconstitutional, so next thing you know, the Supreme Court will tie it up for 10 years, and finally kill it. And finally, you can't pass a law without attaching a large number of completely unrelated riders, which will end up causing parties opposed to the riders to vote against and/or filibuster the bill, which causes the other side to insist that the opposing party WANTS people to have their banking credentials stolen... and so on.

Anyways, to answer your question, Yes. You were simplifying it. It would be MUCH easier to just find a way to sneak a few images of child porn on one of their computers, and shut them down that way. THAT avenue at least seems to have no roadblocks.

-Restil

Re:Let's Look At The Positives

[Mattpw]

No transaction can occur in at our bank without our signature. That means someone has to get off their dead ass and go to the bank and authorize it with proper credentials. It sucks. Someone has a job just to do this. All of the crap is generated on a computer but until that person toddles over there and signs off on it. Nothing happens.

The problem with alot of these more manual authentication systems is that while it sounds good from a security point of view it is quite possibly easier to circumvent the authentication procedure than the complexity with which the trojans are going through. Alot of people think manual phone based authentication like the SMS authentication option is a good idea however the real authentication strength is only as strong as convincing the targets telephone company to forward all their calls to their "new" number. The real authentication is usually only as strong as knowing the targets birthday or similarly googleable information.