05:36 PM
Connect Directly

Building Botnets For Fun And Profit

Creating a botnet business can be lucrative -- and isn't as hard as you might think, Black Hat speaker says

LAS VEGAS, NEVADA -- Black Hat USA 2010 -- If you're thinking about a life of cybercrime, then building a botnet might be the best place to start, a security researcher said here last week.

Click here for more of Dark Reading's Black Hat articles.

Gunter Ollmann, vice president of research at Damballa, gave a talk on the business of building botnets, aptly titled, "Becoming The Six Million-Dollar Man." The presentation was a step-by-step description of the technical and business processes required to become a botnet operator.

"Building botnets is not as scary or difficult as you might think," Ollmann said. "You don't need to be a hard-core criminal. There are tools, guides, vendors, and sponsors readily available. It's a business just like any other -- just don't get caught."

Like any business, botnet operations usually start with a business plan, Ollmann said. Many operators begin by targeting a specific group of victims or data sets they think will be valuable, and have some idea of the costs and revenues they can expect. "If it's done right, there's a good potential of earning as much as $6 million within a year," he said.

Most criminals start off with an off-the-shelf botnet kit, such as Zeus or Butterfly, and begin seeding open environments, such as Bit Torrents and newsgroups. They use Dynamic DNS for command and control, and multiple command-and-control servers, making themselves harder to track.

"The first botnet is usually a proof-of-concept, rather than a production network," Ollmann said. "You're validating principles and doing testing." Once the operator has established the initial botnet, he can begin to build a reputation and trust, which will make it easier to build and sell services on future botnets, he said.

But most botnet operators are eventually caught because of mistakes they make in these early phases, Ollmann said. "They almost always make mistakes while they're learning," he said. "They use an alias that they've used before, or they use a credit card that can be traced back to them. The Mariposa operators were caught because one of them dialed in from his home IP address. Mistakes at the beginning can be fatal."

Many successful botnet operators actually operate more than one botnet, Ollmann said. "There's a common myth that there's one botnet per botmaster," he said. "But smart operators don't want to lose everything on one go, so they've got more than one going."

Smart operators also vary their campaigns -- they may target different groups of victims, build around different themes, or carry out different attacks, Ollmann said. Some botnets might be used to deliver malware, while others are simple spam delivery services.

"They may conduct a series of overlapping build campaigns," Ollmann said. "With a target of 25,000 victims a week, they may bring in $1,000 to $5,000 a week."

Ollmann's company, Damballa, detects around 30 to 100 new botnet operators every week. "There's no barrier to entry," he said. And although industry researchers often focus on the largest botnets, the most successful operators are those who keep their networks small, so as not to attract too much attention.

"The noisier they are, the more likely they are to be detected," Ollmann said. "That's not what the criminal wants." In fact, small botnets that target specific companies or specific groups of users -- such as wealthy executives -- may sometimes be more lucrative than much larger botnets."

Botnet operators are becoming an important part of the cybercrime infrastructure, and there is a growing demand for their services which makes it an attractive entry point for new players, Ollmann said.

"You don't need a lot of technical knowledge, and you don't need to be a hardened criminal," Ollmann said. "You can get started with kits and services that are readily available on the Internet. It's not hard to get started."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.