These third-party rootkits could be used by an employee who is about to leave an organization or someone who thinks they will be fired and would love to keep control within a network, Thompson told me. "Some of this is illegal, some isn't, depending upon what country you live in," he added. "Many of the auction sites that trade in zero-day vulnerabilities benefit from unclear and inconsistent laws." If there's no law against renting out botnets in Russia, then it's difficult for the U.S. to prosecute an attack launched from within the country, or even to collaborate with international law enforcement. "The legal community is still trying to catch up with the implications of the cyber universe," he said.
It's incredibly difficult for law enforcement to gather evidence against someone selling hacks or botnets, unless they slip up somehow. "If they are doing it from their house, they are traceable; but what about if they're doing business from kiosks or libraries?" Thompson asks.
When I asked Thompson how a site trying so hard to protect its identity (the person running the site refers to himself only as Holy_father) could collect for its services, he told me that the answer is E-gold. Excuse me? He told me about one West Indies company, E-gold Ltd., that doesn't possess any national currency of any nation and has no bank accounts. "They don't trade in any sovereign currency, so they avoid the scrutiny of the Secret Service," Thompson says.
Like most tech pros who make a living selling security to defend against attacks, Thompson couldn't give me a good explanation of why someone would trade in malicious code, other than to make money. Of course, if you're that skilled a programmer, there are lots of ways to make money. I decided to bless myself and E-mail Holy-father.
To my surprise, he actually got back to me within a few hours. Holy-father's command of the English language confirms for me that he's not based in the U.S., but he has little difficulty articulating his desire to push the antivirus community to do a better job of designing its software. HF claims that it's because of his work -- he launched the site in 2002 -- that so many people even know what a rootkit is. Of course, he had a lot of help from Sony.
HF's contention is that antivirus companies benefit from keeping their customers just one step ahead of the next big malware attack. This keeps their customers coming back for more and renewing their subscriptions to antivirus database services. If the antivirus companies were to create "something incredible, [a] great AI engine that would beat all other companies on the market and take 95% of the market," they would run the risk of having that program reverse-engineered by the competition and quickly lose their advantage, HF wrote me. In other words, why bother to invest the time and money creating a revolutionary anti-malware engine when companies are willing to pay to upgrade regularly? Sounds to me like he's accusing the software market of complacency. I suppose he wouldn't be the first.
Not surprisingly, antivirus companies take umbrage with HF's assertions. The Hacker Defender site certainly makes it easier for a person without a high level of programming skills to get his hands on a sophisticated rootkit, says Ed English, Trend Micro's chief anti-spyware technologist. But, since Hacker Defender's code and intentions are out in the open, it gives companies like Trend Micro the ability to track this activity. "Publishing these rootkits publicly is one way to do this, but they also can directly contact a vendor," if they have a criticism of that vendor's software. English says. Hackers who claim to be trying to help improve IT security by threatening it tend to display such passive-aggressive tendencies.
The chess match between the white hats and black hats will continue for the foreseeable future. Either way, IT pros can't pretend these threats don't exist. "The first time a CIO goes to a site such as Hacker Defender, it's a big wake-up call," Thompson told me. "But if you're not aware that these groups exist, it's hard to defend against them." Company executives are realizing that even if a disgruntled former employee doesn't have the skill to attack their IT systems, they can outsource.