IDG Answers is a community of experts who are passionate about technology. Ask a question or answer one below.
It is a huge business, as the recent ChangeDNS botnet that infect four million computers reminded us. I can understand the development and distribution from a purely logical standpoint (putting aside any considerations of morality) - someone can use their expertise, develop a product for a market that has ready buyers, receive a sort of recognition for the quality of their malware, and most importantly from their standpoint create income from their work. Much malware is developed in the east in countries that were part of the Soviet Union, where there are well educated people with limited opportunity to turn their expertise into income that matches that which they would expect if they were MS/Apple/Google/etc. employees with the same skill-set.
From a distribution standpoint, the majority of sales of "commercial" malware and bots takes place in underground forums on the dark web, with payments using established services such as Yandex. Ironically, to succeed as a vendor and compete in the marketplace, individuals selling malware have to demonstrate a level of trustworthiness, good customer service and competitive pricing. Since the vast majority of the host servers are not located in the US, it can be extremely difficult for officials in the nations where the malware is deployed to take effective legal action against the creators and users, even when they are identified. It can be a low risk, high return business, so it does not surprise me that it exists and flourishes. Now if you excuse me, I have to go update my anti-malware software!