YouTube is a popular venue for ads from malware makers, with videos for supposedly undetectable Trojan horses, "packers" that compress and obfuscate malware payloads, and even password stealers for breaking into Steam online game accounts. (Asked about the trend, a spokesperson says that YouTube doesn't control site content, but that it will investigate if viewers report videos as inappropriate.)
Advertisements from Internet bad guys don't stop with YouTube. According to Jackson, many online thugs maintain profiles on social networking sites and blogs to keep in touch with their business partners and customers. Many bot
The crooks who use these profiles and blogs may not give themselves away with direct references to nefarious malware activities. But the sites provide a more distributed, harder-to-track way of keeping in touch than using one particular underground site. They may also offer a platform for spouting fascist ideology, as Jackson refers to one Russian underground figure known as 'lovinGOD,'
And the pages advertise the bad guy's contact info--an ICQ handle, say, or some other way to get in touch about buying or selling malware.
The profiles offer "the capability of hiding in plain sight," says Tom Bowers, senior security evangelist with antivirus-maker Kaspersky Lab. Thankfully, they're not entirely hidden. Bowers says he works with law enforcement professionals, who try to track the bad guys through social networks. But the crooks are watching the cops, too.
Limits of the Law
All these public ads and profiles can help law enforcement glean useful data for investigations. But since selling malware isn't illegal, they're unlikely to lead directly to prosecutions.
Of course, using malware is clearly illegal. And a Department of Justice spokesperson says it could charge a virus vendor with aiding and abetting, or conspiracy to commit a crime, if it busted someone else who used that purchased malware to infect a PC. But the prosecutors would have to prove the seller intended for the code to be used in criminal dealings, instead of, say, security research, which makes it a fair bit harder. The spokesperson said she couldn't find any instances of actual prosecutions of this type in her initial search of cases.
And that's just in the United States. In many parts of the world, bringing known phishers and malware lawbreakers to justice isn't exactly a priority.