In Roman Catholic beliefs, there are seven deadly sins – pride, avarice/greed, lust, envy, gluttony, anger, and sloth. The history of malware activity and prevalence follow the two sins – pride and envy. When before, malware authors unleash their creations to the world to be known, nowadays malware authors are driven by money. And who wouldn’t? Consider the following cases:

• In November 2005, the US Federal Bureau of Investigation arrested Jeanson James Ancheta for installing and using a botnet to install adware delivery programs. This venture allegedly netted him US$60,000. He also got a spanking BMW, highly unusual for a 20-year old. (Wired News)
• In August 2004, FBI has charged Jay Echouafni for renting botnets to perform denial of service (Dos) attacks against his company’s competitors Web sites, causing US$3 million in losses for three companies and an Internet Service Provider. (TechWeb)
• In January 2006, the Million Dollar Homepage (www.milliondollarpage.com) was taken down via DoS (through botnets) after its owner, Alex Tew, refused to pay US$50,000 in “protection money”. (Netcraft)

Those are big bucks. And it is easy for script kiddies to earn money, what with bot source codes available every where, new vulnerabilities to be exploited, and adware companies looking for delivery mechanisms and install bases. And with human gullibility, installing bots, spyware, and adware is easy through clever social engineering techniques – spreading is just one click away! And money is just a few network packets away!

Depending on their level of sophistication, malware authors and malicious hackers employ the following tactics to earn money:

1. Using a program to steal bank account information and credit card numbers – This includes spyware and keyloggers.
2. Phishing – Humans tend to be gullible, and it is easy to fool users by just displaying a look-alike Web page with forms, and voila! Malicious criminals laugh their way to the bank.
3. Mafioso-like tactics – For those who do not have enough sophistication in life (or enough brain cells), they use brawn. There’s always one bully in the street corner, and the cyberworld is not far behind.

Extortion is a time-tested bully tactic to get money. The Mafia used it, your neighborhood bully did it, and now, cyberspace is not spared.

TROJ_CRYZIP.A (Trend Micro) (Trojan.Cryzip – Symantec) is an extortionist Trojan that was discovered last March 11, 2006. It compresses common document files and uses a password to protect the compressed file. That means a user cannot decompress the files without the password. Whoa! Where are my files, the witless user might ask. But wait! There’s a text file left, which details how a user can get back his files. All he has to do is to open an E-gold account and deposit US$300. When the payment is confirmed, the password is supposedly sent via email. Ingenious.

Whoever did it is a true bully – brawns more than brains. Analysts at Trend Labs found that the password – C:Program FilesMicrosoft Visual StudioVC98 – is in the Trojan’s code. Not ingenious.

It is also not original. TROJ_PGPCODER.A (Trend Micro), (Trojan.Gpcoder – Symantec, PGPCoder – McAfee) which was discovered May 21, 2005, encrypts the files (as opposed to compressing them), and leaves instructions on how to get the decoder. And recently, a new variant, TROJ_PGPCODER.C (Trojan.Gpcoder.D – Symantec), was discovered in January 30, 2006. It uses a more complex encryption algorithm (RSA) as compared with the previous variants. Despite the advances made by PGPCODER, Trend Micro has created fix tools that will undo the damage done by these Trojans.

Anyway, extortion attacks are very rare, since it is unsophisticated, requires more effort than usual, and it also requires interaction between the bully and the victim. Why exert more effort and risk capture when there are stealthy means of getting money?

And with profit in the minds of malware authors, the first consideration is how to avoid being caught. The current onslaught of SDBOT worms employ rootkits – those nasty pieces of code that allow these worms to run unhampered and undetected. However, the existences of several payloads give away their existence in an affected computer, and malware authors can only hope and pray that affected users remain clueless about how their computers are turning into zombies. And not use an antivirus, of course. So malware authors should concentrate less on payloads and damage if they don’t want to be caught.

The second consideration is how to spread copies of their handiwork. When it comes to social engineering techniques, SOBER worms are the best. Most bot worms exploit security holes and scour for open network shared folders. FEEBS variants use file names that entices P2P users on the lookout for cracked installers. The ways to fool gullible users are almost endless. It is a good way, but again, it has a face, and it betrays the intent ultimately. So the way to go is to exploit human gullibility and at the same time employ tactics that maintain secrecy. When a malware author combines these ways, you get a malware that spreads thoroughly and quickly.

Malware authors have learned from the past; it does not pay to be bold. Most of the authors of the high-profile malware are already caught. The money is in secrecy. Malware authors have the tools at hand, the scripts are there for the taking, and cold cash is just clicks away. Thus begins the reign of greed.

(Author’s Note: This was submitted for consideration in an internal company newsletter; since it was not chosen, the author posts this article for the whole world to see, constraints for that action being lifted.)