Criminal hackers sell, service malicious software

BEIJING, Sept. 17 (Xinhuanet) -- Security software maker Symantec Corp. says sophisticated Internet criminals are quickly enlarging an already vast sales and distribution network to send malicious software and propagate spam in hopes of infecting millions of computers worldwide.

In a report released Monday, Symantec Corp. says online thieves sell code to criminal middlemen for as much as 1,000 U.S. dollars per program. The middlemen then push the code to consumers, who may be duped into participating in a scam, or who may have their passwords, financial data and other personal data stolen and used by identity theft rings.

The most experienced hackers hook middlemen on long-term service contracts so they can automatically push the newest exploits on unwitting consumers and compensate for patches developed by legitimate programmers.

"These people are taking a huge risk, and either they're stupid — which we don't believe is the case — or they're making big money," said Alfred Huger, vice president of Symantec Security Response.

The agreements — similar to contracts between software powerhouses such as Oracle Corp. or Microsoft Corp. and their corporate clients — leave a trail of code that are supposed to make it easier for authorities to catch both the hacker and the person who's purchasing the program.

But researchers who worked on Symantec's newest Internet Security Threat Report said the amount of money to be made from computer attacks still outweighs the danger.

Symantec's new report covers the first six months of 2007 and draws on attack data gathered from more than 120 million computers running Symantec antivirus software and more than 2 million decoy e-mail accounts designed to attract spam and other dubious messages from around the world.