« More "Canadian Pharmacy" B.S. | Main | New Year, New Phish »

December 17, 2009

Before I stir this pot, let me say up front that I am not accusing any legitimate antivirus software company of intentionally doing anything bad. It's just something that has crossed my mind in the past and came spilling out today.

What prompts this post is a SophosLabs blog entry that describes how a pair of malware infections work. This is important information for security researchers and should be published.

To complete their investigation of how the infection worked and what the infection consisted of, they allowed their test machine to be infected. In particular, "the iframe payload was delivered."

My question is: What if the malware spreader is paid for each delivery (trackable at the server end) or each installation (trackable when the malware phones home or responds to control commands)? Take into account the dozens of antivirus firms and probably an order of magnitude more independent researchers (academics, governments, curious nerds), and you could have a sizable number of financial transactions taking place as a result of this research — even if not a single login credential is lifted or working bot put into operation.

As I impress on readers of Spam Wars, it doesn't take much to make an evil internet campaign work to the financial benefit of the originator or facilitator, whether it be spam for fake diplomas or secretly installing adware onto PCs (the latter has been well-documented in legal actions against adware purveyors). Costs are so low that just a handful of users acting on the messages may be sufficient to reach the break-even point.

I even cringe a bit when U.S. government agencies order spam-driven medz, not necessarily to track down and prosecute the networks, but just to test the efficacy of the pills and patches arriving from overseas in unmarked brown mailers. On the one hand, the public should be told that such medz are usually of little medicinal value (if not outright hazardous); on the other hand, the spammers and medz makers don't care if buyers flush the product down the toilet: The money has already changed hands and encourages more spamming because it succeeds in generating revenue.

Even if I had my way that every internet-surfing, email-reading internet user in the world knew to filter, ignore, and delete every spam message and malware lure intended for the inbox, I still wonder: Would researchers keep the underground economy going?