Friday, March 21, 2008

if not mortgages then maybe car payments or psp's

one of the things that has interested me in the past but has generally seen little or no attention by the mainstream is the social dimension of malware... ultimately malware comes from people, and contrary to the traditional stereotype the people involved have generally not been anti-social - anything but in fact...

one of the few concepts from this domain to catch mainstream attention (too much so, in fact, like a song that gets played on the radio too often) is the idea that malware has become financially motivated, or more simply that malware creators are now interested in money rather than fame...

this is a description that gene hodges fleshes out a bit, going so far as to suggest that the malware writers have grown up and are paying their mortgages using monies gained from malware related activities...

allysa myers looks at recent arrests and sees something that doesn't fit in with this model, however... many of the arrests are still kids - paying a mortgage doesn't seem like the sort of thing kids would be doing...

to my mind, they're both right and they're both wrong... we like to model the world because it helps us put things in perspective and make sense of things, but models often lack sufficient complexity to accurately represent reality... the malware writer population is more complex than either is giving credit...

when financially motivated cybercrime crossed the chasm in the computer underground, it did not completely supplant existing motivations (indeed, monetary rewards do not replace the need for social rewards - you can buy status symbols but you can't buy acceptance or camaraderie), rather it broadened the spectrum of rewards that one could acquire through nefarious online means and in so doing it has allowed the population to expand and diversify... so now there are amateur kids and professionals and everything in between...

proper viruses aren't really in vogue anymore, of course, so the role models that newbies learn from and emulate are no longer a clique of experienced virus writers like you'd have found in the vx - the newbies are going to be learning the tricks of the trade from (or in some cases be made into patsies by) the more advanced cyber criminals who will quite possibly be paying their mortgages with their ill-gotten gains or (perhaps more likely if they're advanced enough to have developed 'assets' to do their bidding for them) they may never have to worry about mortgages again...

the kids are the most likely to be arrested because they're the least risk-averse and least experienced in criminal enterprise and therefore represent the low-hanging fruit to law enforcement... they brag, they make splashy purchases that attract attention, they fail to adequately hide money that kids have no business having... those that are lucky enough not to get caught will probably eventually turn pro... now that one can make a living at it, malware writing is no longer something that people will largely be growing out of... the more complete it's set of rewards becomes, the less those involved in it will need to go outside of it in order to get the rewards they need...

0 comments: