A new German study has been published [pdf] detailing hundreds of data dumps with personal and sensitive information up for sale.

The researchers used “honeynets,” or distributed network of dummy computers that were set up to be hacked, so that they could gather intelligence about the attack patterns and methods used by cyber criminals. The decoy systems were purposefully infected with data stealing Trojans from two different families of keystroke logging programs known as Zeus (also known as “Zbot” and “Wsnpoem”) and “Nethell” (a.k.a. “Limbo”).

These two malware families are the product of so-called “exploit kits” that are sold in underground markets for a few hundred to a few thousand dollars a pop. The kits include soup-to-nuts scripts for setting up Web sites used to foist password-stealing malware on visitors, as well as programs that help the buyer set up back-end systems for receiving the stolen data, variously known as “blind drops,” “drop sites”, “dead drops” and “drop zones,” (a screen shot of a drop site created by Nethell is pictured to the left).

The German research team found at least 300 such drop sites created by Zeus and Nethell keylog kits, and were able to access 70 of them using either security vulnerabilities in the software kits themselves or because the criminals operating the drop sites had failed to properly secure them.

Their findings, which drew from stolen data harvested from these drop zones between April and October 2008, were staggering: 33 gigabytes worth of purloined data from more than 170,000 victims. Included in those troves were more than 10,700 online bank account credentials, 149,000 stolen e-mail credentials, 5,682 credit card numbers, and 5,712 sets of eBay credentials.

“We found that criminals can easily make a few hundred to a few thousand bucks a day from selling this stuff,” said Thorsten Holz, a Ph.D. student at the Laboratory for Dependable Distributed Systems at the University of Mannheim, Germany, a founder of the Germany Honeynet Project. “We weren’t able to access 230 of the drop sites we found, so the real number of victims and stolen credentials is probably many times what we were able to see.”

And there are dozens of other exploit kits in circulation today, with names like Silent Banker, Bancos, and Neosploit.

Interestingly, the researchers saw their access to the drop sites diminish over the seven month period of monitoring these drop sites. In some cases, the criminals apparently got wise that someone was accessing their databases, but in other cases, the curators of these exploit kits actually shipped updates that fixed vulnerabilities the researchers were using to peek inside the databases.

“The new versions for the Web exploit kits fix vulnerabilities in the exploit code,” Holz said. “The [exploit kit makers] must have noticed there were some weaknesses in their code, and issued updates to fix them.”