Endpoint
8/20/2009
04:13 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Botmaster: It's All About Infecting, Selling Big Batches of Bots

Undercover Cisco researcher told the going rate for a single bot is 10- to 25 cents

Researchers at Cisco recently got a rare glimpse of the inner workings of the botnet underworld after going undercover and meeting an actual botmaster online: the botmaster, who ran a botnet that had infected dozens of machines at a Cisco customer site, said his main job is to compromise a few thousand machines and then sell them off in bulk.

He told a Cisco researcher posing as a fellow botmaster that the market rate for a bot is between 10 cents to 25 cents per machine, and that he recently made $800 off of a sale of 10,000 bots.

But that rate is likely a moving target, says Joe Dallatore, senior manager in Cisco's security research and operations group. "At this point we have a snapshot [in time]" of the botnet market rate, Dallatore says. "There is an economy for these things, and it changes over time this is a form of commerce, with supply and demand."

And the botmaster isn't out to perform identity theft -- just bot-brokering. "He was not in the business of using information [on the bots]. Just in creating bots and selling them to someone else," Dallatore says.

Cisco decided to go undercover and learn more about the botnet market after cleaning up infected machines at their customer's site. "This gave us an opportunity to learn what motivated" the botmaster, Dallatore says.

Posing as a botmaster -- and later a security reporter -- a Cisco researcher engaged in an IRC chat conversation with the botmaster, and later, several MSN chat sessions over a period of months.

The botmaster told the undercover researcher that he didn't focus on exploiting vulnerabilities when going after prospective bots. Instead, he mostly used social engineering via instant messages. He can spam 10,000 users with a lure like a "check this out"-type link and get a one percent or better response rate, he said.

He also said he knew someone who made $5,000 to $10,000 per week through phishing attacks.

The botmaster also shed light on the dog-eat-dog world of cybercrime. He said he once used a stolen account and impersonated a law enforcement official in order to chase another botmaster away from his 6,000 node botnet. And there are different levels of expertise in the bot world, too: only 20 percent of botmasters actually understand the bot code they get via online forums, and about three- to five percent write their own botnet code, he said.

He also pointed the undercover researcher to a massive botnet forum that included discussions, source code, botnet supplies such as file hosting accounts, packers, password lists, and password stealers.

"Anyone with basic computer experience is able to run a botnet. It is not necessary to understand the code, nor is there a need to understand networking," according to a report by Cisco on the botmaster conversations.

Although the researchers learned via some outside research that the botmaster they were communicating with was a prolific author of IRC-based botnet software and was well-known among the underground, his botnet had a hole. Cisco was able to block his bot update servers because they had been left unprotected. He didn't bother encrypting botnet traffic, either.

Cisco's Dallatore says his researchers' revealing communications with the botmaster should serve as a warning to enterprises that their computing resources are valuable to the bad guys. "It's important for enterprises to do what they can to prevent becoming an inadvertent engine in someone else's commerce," he says. "And they may be traced back as a source of an attack."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Best of the Web