Endpoint
8/20/2009
04:13 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Botmaster: It's All About Infecting, Selling Big Batches of Bots

Undercover Cisco researcher told the going rate for a single bot is 10- to 25 cents

Researchers at Cisco recently got a rare glimpse of the inner workings of the botnet underworld after going undercover and meeting an actual botmaster online: the botmaster, who ran a botnet that had infected dozens of machines at a Cisco customer site, said his main job is to compromise a few thousand machines and then sell them off in bulk.

He told a Cisco researcher posing as a fellow botmaster that the market rate for a bot is between 10 cents to 25 cents per machine, and that he recently made $800 off of a sale of 10,000 bots.

But that rate is likely a moving target, says Joe Dallatore, senior manager in Cisco's security research and operations group. "At this point we have a snapshot [in time]" of the botnet market rate, Dallatore says. "There is an economy for these things, and it changes over time this is a form of commerce, with supply and demand."

And the botmaster isn't out to perform identity theft -- just bot-brokering. "He was not in the business of using information [on the bots]. Just in creating bots and selling them to someone else," Dallatore says.

Cisco decided to go undercover and learn more about the botnet market after cleaning up infected machines at their customer's site. "This gave us an opportunity to learn what motivated" the botmaster, Dallatore says.

Posing as a botmaster -- and later a security reporter -- a Cisco researcher engaged in an IRC chat conversation with the botmaster, and later, several MSN chat sessions over a period of months.

The botmaster told the undercover researcher that he didn't focus on exploiting vulnerabilities when going after prospective bots. Instead, he mostly used social engineering via instant messages. He can spam 10,000 users with a lure like a "check this out"-type link and get a one percent or better response rate, he said.

He also said he knew someone who made $5,000 to $10,000 per week through phishing attacks.

The botmaster also shed light on the dog-eat-dog world of cybercrime. He said he once used a stolen account and impersonated a law enforcement official in order to chase another botmaster away from his 6,000 node botnet. And there are different levels of expertise in the bot world, too: only 20 percent of botmasters actually understand the bot code they get via online forums, and about three- to five percent write their own botnet code, he said.

He also pointed the undercover researcher to a massive botnet forum that included discussions, source code, botnet supplies such as file hosting accounts, packers, password lists, and password stealers.

"Anyone with basic computer experience is able to run a botnet. It is not necessary to understand the code, nor is there a need to understand networking," according to a report by Cisco on the botmaster conversations.

Although the researchers learned via some outside research that the botmaster they were communicating with was a prolific author of IRC-based botnet software and was well-known among the underground, his botnet had a hole. Cisco was able to block his bot update servers because they had been left unprotected. He didn't bother encrypting botnet traffic, either.

Cisco's Dallatore says his researchers' revealing communications with the botmaster should serve as a warning to enterprises that their computing resources are valuable to the bad guys. "It's important for enterprises to do what they can to prevent becoming an inadvertent engine in someone else's commerce," he says. "And they may be traced back as a source of an attack."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Cybercrime has become a well-organized business, complete with job specialization, funding, and online customer service. Dark Reading editors speak to cybercrime experts on the evolution of the cybercrime economy and the nature of today's attackers.