Each week vnunet.com asks a different expert to give their views on recent virus and security issues, with advice, warnings and information on the latest threats.

This week David Emm, senior technology consultant at Kaspersky Lab UK, warns of the increasing threat from virus writers seeking to make mony from their creations.

In the 'good old days' most viruses fell into the category of cyber-vandalism, written by inexperienced programmers as a form of anti-social self-expression. Much of the code they produced was of poor quality, although there were, of course, notable exceptions.

Things have changed, sadly for the worse. The connectivity offered by the internet has provided fertile ground for would-be virus authors, allowing them to share ideas and code with more experienced virus writers. At the same time, the web has become the life-blood of commerce, with growing numbers of enterprises reliant on it for doing business.

As these two developments juxtapose, the last year has seen the computer underground realising the potential for making money from their virus creations in a wired world.

Many of today's most successful threats are a composite 'bundle' of malicious code, and increasingly this bundle includes a Trojan. Successive variants of Bagle, Netsky and MyDoom, for example, have installed Trojans on infected machines. The aim is to gain total control over the victim's computer so that it can be used for malicious activities.

Victim machines are frequently combined into networks, often using IRC channels or websites where the author has placed additional functionality. The more complex Trojans, like many of the Agobot variants, combine infected machines into a single P2P network. Such 'bot' networks offer an effective way of controlling machines: to collect personal data (passwords, Pins etc) for spam distribution, or to launch distributed denial of service attacks.

There has been a significant increase in the numbers of backdoor Trojans during the past year, designed to steal confidential financial data. Dozens of new variants appear every week, often different in form and function. Some are simple keystroke loggers that use email to send the captured information to the author or controller of the Trojan. The more elaborate provide complete control over victim machines, sending whole data streams to remote servers and receiving further commands from these servers.

In addition, a clear link has emerged between malicious code and spam distribution. The appearance of the Mitgleider Trojan early in 2004 established the Trojan Proxy as a separate category of malware closely related to spam distribution.

Mitgleider used one of two Internet Explorer vulnerabilities to install and launch a proxy server on victim machines, without the users' knowledge. The Trojan then opened a port, allowing it to send and receive email and turn the machines into an army of spam-spewing zombies.

Droppers, another category of Trojan, are designed specifically to install other malicious programs on a machine. Like a form of malware archive, they may carry several completely unrelated pieces of malware, different in behaviour and even written by different coders.

Droppers are often used to carry known Trojans, since it is significantly easier to write a dropper than to create a brand new Trojan. Most droppers are written in Visual Basic or JavaScript, so they're easy to write and perform multiple tasks.

Downloaders offer a variation on the same theme. As the name suggests, their purpose is to pull down malicious code from a remote site. This may be a new piece of malware or successive versions of an existing Trojan, extending the usefulness of the victim machine for the author or controller.

Like droppers, downloaders are usually written in script languages such as Visual Basic or JavaScript, but they also often exploit IE vulnerabilities to download the chosen malicious code.

And it's not just Trojan code that gets installed. Droppers and downloaders are also used to install other unwanted, non-viral programs without the user's knowledge or consent. This includes adware programs that show advertisements independently of user activity, or diallers that connect to pornographic pay-to-view sites automatically.

However, Trojans are not just used to steal personal data or capture network passwords. They are also used to carry out DDoS attacks like those carried out in 2004 by MyDoom, Wallon, Plexus and Zafi.

Once the number of machines infected reaches critical mass, the incumbent Trojans can be instructed to flood a particular website with traffic. There have been a number of reported cases of DDoS linked to extortion where a small-scale DDoS attack is used to demonstrate a wider capability: 'Pay-up or we'll take down your site with a full DDoS attack'.

The use of Trojan programs to steal passwords, to access confidential data, to launch DDoS attacks and to distribute spam email highlights a key change in the nature of the threat landscape: its increasing commercialisation.

And it's clear that this trend will continue as long as it proves successful for the writers of malicious code and those who pay them to create code that can be used to make money illegally.