They are well organized. They pay close attention to product quality, working hard to make it effective and scalable. They are all about customer service, providing after-sales support. They even solicit the help of their customers in product development.

All admirable qualities. But all in the service of theft.

They are malware merchants; in the business of helping others steal from legitimate businesses and innocent consumers. And they have evolved to the point where they operate much like the legitimate software industry. It is possible to buy malware from what amounts to an app store, or to contract for Malware as a Service (MaaS).

"The life cycle of (malware) products is the most amazing aspect," writes Pierluigi Paganini, a certified ethical hacker and founder of Security Affairs in Italy, in an article posted this past week on Infosec Island. "From design to release to after-sales support, each stage is implemented in every detail with care and attention."

One of the most famous examples is the Zeus Trojan, designed to steal banking information, which can be customized with new features demanded by its customers. There are an estimated 3.6 million computers in the U.S. that have been compromised by Zeus botnets.

In early January, the Israel-based security firm Trusteer reported on a new version of the SpyEye Trojan that, somewhat like a security camera hack, swaps out banking web pages to prevent account holders from noticing that their money is gone.
Not that the botnet market is new. But it is maturing, and is more diversified and dangerous than ever.

Kevin McAleavey, cofounder and chief architect of the KNOS Project outside Albany, New York, who has spent more than a decade in antimalware product development and research, says this is a logical progression. "Today's 'professionals' were once amateurs, and by that I mean the authors of the malware itself," he says. "It should come as no surprise that what may have once been done 'for fun' can readily be monetized by criminal and government elements for their own purposes."

The modern malware developer and distributor, he says, is selling not just the malware itself, but "the means to keep it hidden and from being detected."

But, if these merchants of malware are operating like businesses, can't authorities just track them down and shut them down?

Not so easily, it turns out. Most use the so-called "Onion Router," which lets users conduct business anonymously.

"The only time one has a chance to track down individuals is when they rat each other out," says McAleavey.

It is not only the Onion Router, but the fact that they operate in countries where they are hard to reach -- Latvia, Lithuania, Ukraine, Brazil and others -- where McAleavey says enforcement is lax. "Generally, these 'kids' are smart and don't leave much in the way of tracking data," McAleavey says. "They know how to layer proxies to cause the trail to go cold. Some people working for antivirus companies have successfully managed to audit the trails only to find the perps pull up stakes and move elsewhere by the time the authorities actually show up."