The people who know best say it's not safe out there on the Internet.
In a series of talks at the Chaos Communication Camp here in Germany today, researchers and virus experts outlined the recent growth in the numbers of viruses and Trojans (up 34 percent since the same time last year), the evolving sophistication of attacks, and – perhaps most strikingly – the increasing professionalism of the malware business.
There's big money to be made by breaking into other computers these days, and digital mafias have long since stepped into the gap, replacing slipshod and amateur work with professional-grade coding. According to McAfee Avert Labs researcher Toralv Dirro, harvested credit card numbers are sold in batches of a thousand, for between $1 and $6 dollars for a U.S. card, or twice that for a British card.
Citing figures from rival antivirus firm Symantec, he said a verified Paypal Account can now go for as much as $500. An online bank account with a $9,900 balance is a relative bargain at $300, while a World of Warcraft account paid up for a month is worth $10. Malware writers are gamers too. 
Spyware companies like Rat Systems offer to sell out-of-the-box Trojan systems. A powerful $1000 package called MPack, developed by Russian hackers, comes with all the latest malware tools, is updated periodically with new modules containing new exploits, and is guaranteed by its distributors to be undetectable by the most current antivirus programs at the time of sale, Dirro said.
Then there's the services business, using the thousands of computers compromised and taken over by Trojans to send spam, or new viruses.
Dirro said that a few new technical trends have emerged in recent months. Botnets are increasingly controlled from private IRC servers rather than public ones, often located on a compromised computer, or even on an openly rented computer. A handful of Russian ISPs rent computers while turning a blind eye to this process, he said.
Increasingly botnets are controlled using peer to peer networks such as eDonkey to communicate and update themselves. He showed a screen shot of a simple forms-based botnet control system to which McAfee had gained access, illustrating that they are now as simple to use as much of the commercial software they're trying to corrupt.
But everything will be fine as long as antivirus software is in place, right?
Wrong, said researcher Sergio Alvarez. He demonstrated a debugging program that immediately found bugs in several different varieties of antivirus software, and said the same kind of problems were common throughout the industry.
Most antivirus firms rush products out on tight deadlines, without the extremely sensitive debugging process that such critical software ought to have, he argued. That left virtually all security software open to attacks that take advantage of those bugs, opening a painful paradox for systems administrators.
"The more you try to defend yourself, the more you're vulnerable to this kind of attack," Alvarez said.
Most of this will come as old news to people who read Threat Level on a regular basis. But the fact that the hackers themselves are nervous raises my own anxiety level a few notches.
Indeed, even while filing this piece, my antivirus software has notified me of a buffer overflow attack on my computer, something I'd never seen before yesterday. More pop up every time I go online here, following a brush with a Deep Throat Trojan shortly after getting on the network here yesterday.
This might be the cost of covering a hacker's camp. But I suppose I can live with it. I'll just have to wash my hard drive with bleach when I get home.
