The recent breakup of the largest-ever botnet scam by US and Estonian authorities may provide only a hint of how bad botnets may soon become. While the ChangeDNS botnet infected more than 4 million computers, it was under the control of a single ring of criminals. But because of the commoditization of botnet tools and other computer security exploits, the next wave of major botnet attacks could be driven by people who simply buy their malware from the equivalent of an app store—or who rent it as a service.

The malware market has matured in a way that mirrors the larger software industry, even to the point of offering "malware as a service," Rick Howard, General Manager of Verisign's iDefense unit, told Ars. According to Howard, "We're pretty close to a malware app store now."

Services don't just give malware writers a way to profit from selling their code to less technical customers. The "MaaS" route also keeps code concealed, protecting their intellectual property from being ripped off. In some cases, malware authors beef up the traditional malware kits they sell by bundling them with an Internet-based service that can provide additional exploits on demand.

The botnet market is nothing new—it's been evolving for years. But what is new is the business model of botnet developers, which has matured to the point where it begins to resemble other, legitimate software markets. One example of this change is a Facebook and Twitter CAPTCHA bypass bot called JET, which is openly for sale online. The purchase of the bot includes "lifetime FREE updates" and comes with a per-user licensing scheme. (Just how malware writers enforce licensing is another matter entirely.) Additionally, writers of JavaScript-based malware for targeted bank fraud hacks have started obfuscating their code to prevent it from being reverse-engineered by their customers, and to guarantee repeat business.

The "Linux of malware"

But malware market maturity also means commoditization. One example is the market that has developed around the Zeus botnet kit. First seen in 2007, bots based on Zeus's tools infected more than 3.6 million computers in the US alone, according to researchers at the University of Alabamba at Birmingham. A study by RSA last year found that almost all Fortune 500 companies showed evidence of some form of Zeus botnet infection.

While not a botnet in itself, Zeus provides do-it-yourself cybercriminals with the platform to configure, package, and manage botnets, then to dynamically reconfigure them once they've been deployed. While it doesn't include a virus-like installer—Zeus is designed for targeted attacks—it is so versatile that it has become a favorite choice for malware developers. They use it to to develop distributed attack packages, ranging from key logging to sophisticated Web session hijacking attacks called "Web injects"—including the financial fraud "Web injects" discovered for sale online by researchers from Trusteer.

This strategy has made the Zeus developers a lot of money. Until recently, it has been sold as a commercial product; versions went for as much as $700. But in May, the source code for Zeus was "leaked" and published in several hacker forums. It's not clear whether it was leaked unintentionally, or perhaps as a way to expand the market for the more lucrative "tailored exploit" packages and services being developed on the platform.

But the publishing of the Zeus source code promises to make things a lot more interesting. Previously, Howard said, the malware business "was a very controlled market. Now anybody can take that and turn it into a business." While no one has published the source tree to a repository like Github, Howard said, "It's just a matter of time before some enterprising black hat does."

Taking the code public could make tools like Zeus the Linux of malware. It will have potentially large numbers of custom distributions tailored to different types of activity and enhanced with exploits from other developers' kits. That promises to create an even bigger problem for antivirus companies, who already lag behind the threat. With an explosion of Zeus variants, it will be difficult for antivirus vendors to keep up with malware developers.