Endpoint
8/20/2009
04:13 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Botmaster: It's All About Infecting, Selling Big Batches of Bots

Undercover Cisco researcher told the going rate for a single bot is 10- to 25 cents

Researchers at Cisco recently got a rare glimpse of the inner workings of the botnet underworld after going undercover and meeting an actual botmaster online: the botmaster, who ran a botnet that had infected dozens of machines at a Cisco customer site, said his main job is to compromise a few thousand machines and then sell them off in bulk.

He told a Cisco researcher posing as a fellow botmaster that the market rate for a bot is between 10 cents to 25 cents per machine, and that he recently made $800 off of a sale of 10,000 bots.

But that rate is likely a moving target, says Joe Dallatore, senior manager in Cisco's security research and operations group. "At this point we have a snapshot [in time]" of the botnet market rate, Dallatore says. "There is an economy for these things, and it changes over time this is a form of commerce, with supply and demand."

And the botmaster isn't out to perform identity theft -- just bot-brokering. "He was not in the business of using information [on the bots]. Just in creating bots and selling them to someone else," Dallatore says.

Cisco decided to go undercover and learn more about the botnet market after cleaning up infected machines at their customer's site. "This gave us an opportunity to learn what motivated" the botmaster, Dallatore says.

Posing as a botmaster -- and later a security reporter -- a Cisco researcher engaged in an IRC chat conversation with the botmaster, and later, several MSN chat sessions over a period of months.

The botmaster told the undercover researcher that he didn't focus on exploiting vulnerabilities when going after prospective bots. Instead, he mostly used social engineering via instant messages. He can spam 10,000 users with a lure like a "check this out"-type link and get a one percent or better response rate, he said.

He also said he knew someone who made $5,000 to $10,000 per week through phishing attacks.

The botmaster also shed light on the dog-eat-dog world of cybercrime. He said he once used a stolen account and impersonated a law enforcement official in order to chase another botmaster away from his 6,000 node botnet. And there are different levels of expertise in the bot world, too: only 20 percent of botmasters actually understand the bot code they get via online forums, and about three- to five percent write their own botnet code, he said.

He also pointed the undercover researcher to a massive botnet forum that included discussions, source code, botnet supplies such as file hosting accounts, packers, password lists, and password stealers.

"Anyone with basic computer experience is able to run a botnet. It is not necessary to understand the code, nor is there a need to understand networking," according to a report by Cisco on the botmaster conversations.

Although the researchers learned via some outside research that the botmaster they were communicating with was a prolific author of IRC-based botnet software and was well-known among the underground, his botnet had a hole. Cisco was able to block his bot update servers because they had been left unprotected. He didn't bother encrypting botnet traffic, either.

Cisco's Dallatore says his researchers' revealing communications with the botmaster should serve as a warning to enterprises that their computing resources are valuable to the bad guys. "It's important for enterprises to do what they can to prevent becoming an inadvertent engine in someone else's commerce," he says. "And they may be traced back as a source of an attack."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6196
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM Web Experience Factory (WEF) 6.1.5 through 8.5.0.1, as used in WebSphere Dashboard Framework (WDF) and Lotus Widget Factory (LWF), allows remote attackers to inject arbitrary web script or HTML by leveraging a Dojo builder error in an unspecified WebSp...

CVE-2014-7247
Published: 2014-11-25
Unspecified vulnerability in JustSystems Ichitaro 2008 through 2011; Ichitaro Government 6, 7, 2008, 2009, and 2010; Ichitaro Pro; Ichitaro Pro 2; Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro 2013 Gen; and Ichitaro 2014 Tetsu allows remote attackers to execute arbitrary code via a crafted file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?