Security researchers have uncovered e-commerce sites that sell malicious software to criminals. The sites have shopping carts, deliver analytics, and generally behave like an Amazone for malware.

In return for downloading the malware to their sites, Web site owners are promised at least 50 Euros -- about US$66 -- every Monday, with the potential for even more for "clean installs" of the malicious code on end user systems. "If your traffic is good, we will change rates for you and make payout with new rates," the site promises...

The front end allowed subscribers to login to individual accounts, view indexed data and get results from queries based on certain fields such as IP addresses and URLs. Each customer-generated query had a price associated with it, Jackson said. The currency unit used on the site was WMZ, a WebMoney unit roughly equivalent to the U.S. dollar, Jackson said. A customer query returning three passwords for a small retailer might cost 100 WMZ, while a query for 10 passwords for an international bank might fetch 2,500 WMZ or more. Customers could also choose how they wanted their search results delivered -- as compressed files in e-mails or via FTP.

The actual Gozi Trojan code itself appears to have been purchased by 76Service from a Russian hacking group called the HangUp Team. Such code typically costs about $1,000 to $2,000, depending on its sophistication, Jackson said. In addition to the original Trojan, the server also hosted two ready-to-deploy variants in a separate staging area. The malicious code included a downloader and a stored password stealer and appeared to be have been made to order for 76Service.

Link (via The Command Line)