A WIRY YOUNG man with his head shaved and wearing a tank top points a handgun straight at the camera in a disturb¬ing YouTube video. The man wears what appears to be a wed¬ding ring, and he gazes vacant¬ly away from the viewer.
Though it's an odd image for an advertisement, this video isn't promoting your average company.

It's from a not-so¬underground Albanian hacker group that's out to make a name for itself in the thriving world of malware and comput¬er crime, says Don Jackson, a senior researcher with managed security services provider Se¬cureWorks. Besides the shot of the gunman, the video show¬cases images of a computer screen, a table loaded with for¬eign currency, and plenty of links to the group's Web site.

Malware is big business, and groups like the Albanian hack¬ers are trying to cash in, using the latest Web 2.0 tools: social networking profiles, blogs, and other publicly available media and Web-site pages. The digital desperados are, paradoxically, moving more and more into wide-scale advertising and brand building on public sites and networks in order to grow their underground trade.

But wait a minute-how can people get away with selling programs for breaking into your PC or stealing your identity? Simple: Selling malware is not directly illegal in the United States (or nearly anywhere else). Only using it is illegal.

As the malware underground expands, "it's moving away from technology towards business," says Zulfikar Ramzan, senior principal researcher with Symantec Security Response.

While virus vendors are still quick to jump on the latest security vulnerability or technical trick, "the real innovations are more business and marketing," he explains.
On the face of it, public ads appear to violate the number¬one rule of any illegal activity:

Don't make yourself known. And it's true, says Ramzan, that "the more sophisticated guys are more quiet." But since the purveyors of Trojan horses and other malicious apps have no real fear of legal repercussions, they have no compelling reason to be shy.

Another video ad, this one from a Turkish group, hypes a program used to break into PCs. The group's name and logo (a stylized alien face with the Turkish crescent-and-star emblem on its forehead) play front-and-center in the pro¬gram's graphical interface, and the video's narrator walks the viewer through a 5-minute¬plus tutorial on using the pro¬gram. More than 17,000 peo¬ple have watched it.

YouTube is a popular venue for ads from mal ware makers, with videos for supposedly undetectable Trojan horses, "pack¬ers" that obfuscate malware payloads, and even password stealers for breaking into Steam online game accounts. (Asked about the trend, a spokesperson said that YouTube doesn't control site content but that it will investigate if viewers report videos as inappropriate.)

Advertisements from Internet bad guys don't stop with YouTube. According to Jackson, many online thugs maintain profiles on hot social networking sites and blogs such as LiveJournal.com to keep in touch with their business partners and customers.

The sites, which often don't have direct references to nefarious malware, provide a harder-to-track way of staying in contact than using one particular underground site. To buy malware, for instance, a crook could look up a known seller's ICQ handle or other contact info on a posted profile.

The pages offer "the capability of hid¬ing in plain sight," says Tom Bowers, senior security evangelist with antivirus¬software maker Kaspersky Lab. But thankfully, they're not entirely hidden. Bowers says he works with law enforce¬ment professionals who try to track the

THIS YOUTUBE VIDEO advertises a group of Albanian hackers for hire.
criminals through social networks. All these public ads and profiles can help law enforcement glean useful data for investigations. But they're unlikely to lead directly to prosecutions.

Using malware is clearly illegal, and a Department of Justice spokesperson says it could charge a virus vendor with aid¬ing and abetting, or conspiracy to com¬mit a crime, if it busted someone who used that purchased mal ware to infect a pc. But the Justice Department would have to prove the seller intended for the code to be used in criminal deal¬ings, instead of, say, security research. The spokesperson says she couldn't find any instances of prosecutions of this type in her initial search of cases. And that's just in the United States. In many parts of the world, bringing known phis hers and malware lawbreak¬ers to justice isn't exactly a priority.