Vulnerabilities / Threats
5/27/2010
10:55 PM
50%
50%

Cheap Botnets A Boon To Hackers

Easy access to cheap botnet rentals and sophisticated attack tools are lowering the barriers to entry for criminals who can’t code.

Have you got $67 burning a hole in your pocket? Then you can rent a botnet for 24 hours to launch distributed denial of service (DDoS) attacks, sell fake antivirus software and relay spam to unsuspecting email users via millions of compromised -- aka zombie -- PCs. Or if you only need an hour, that’s just $9.

Those findings come from iDefense, VeriSign’s security intelligence service, which studied 25 black market botnet offerings. Based on the company’s research, botnets are becoming increasingly commoditized, with sellers freely hawking their wares via online forums and banner advertising.

“Organizations need to be wary of the fact that their critical online applications or services could be taken down in under a day by a criminal renting services from bot herders,” said Rick Howard, director of intelligence at iDefense, in a statement.

Unfortunately, the easy access to botnets, as well as the emergence of more automated botnet software, has lowered the botnet barrier to entry for less technologically inclined or well-connected criminals.

In March, for example, Spanish police arrested the three alleged masterminds behind the Marisposa botnet, which ran undetected for six months, compromising more than 12 million PCs, many at blue-chip firms and banks.

“Our preliminary analysis indicates that the botmasters did not have advanced hacking skills,” Pedro Bustamante, senior research adviser with Panda Security, told the Guardian. “This is very alarming because it proves how sophisticated and effective malware distribution software has become, empowering relatively unskilled cyber criminals to inflict major damage and financial loss.”

Mariposa may now be defunct, but one of the most well-known botnet tools, Zeus, is still alive and well. According to a recent report from managed security services provider SecureWorks, “Zeus is sold in the criminal underground as a kit for around $3,000-4,000, and is likely the one malware most utilized by criminals specializing in financial fraud.”

Customize Zeus with numerous add-ons: virtual networking to take over an infected PC ($10,000), an upgrade for attacking Windows 7 or Vista ($2,000), Jabber IM broadcasting to receive stolen data in real time ($500), a Firefox form grabber ($2,000) and a back-connect module for making financial transactions from an infected PC ($1,500). Interestingly, the Zeus application also includes sophisticated anti-piracy features.

If the going rate for renting a botnet or buying the right software seems steep, antivirus vendor Sunbelt recently said that it’s been tracking a Twitter-controlled botnet that can be used to launch DDoS attacks. Dubbed TwitterNET Builder, the tool -- available at no charge -- lets an attacker simply enter a Twitter username and hit “build” to generate the required malware.

Thankfully, the tool’s reliance on public Twitter commands for control means that attackers get what they pay for. “We’ve notified Twitter about this bot creation system, and they’re looking into it,” said Boyd. In other words, don’t try this at home.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-4403
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication of administrators for requests that (1) delete a product via a delete_product_confirm action to product.php or (2) disable a product via a setflag action to categories.ph...

CVE-2012-2930
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers...

CVE-2012-2932
Published: 2015-04-24
Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the (1) selitems[] parameter in a copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/...

CVE-2012-5451
Published: 2015-04-24
Multiple stack-based buffer overflows in HttpUtils.dll in TVMOBiLi before 2.1.0.3974 allow remote attackers to cause a denial of service (tvMobiliService service crash) via a long string in a (1) GET or (2) HEAD request to TCP port 30888.

CVE-2015-0297
Published: 2015-04-24
Red Hat JBoss Operations Network 3.3.1 does not properly restrict access to certain APIs, which allows remote attackers to execute arbitrary Java methos via the (1) ServerInvokerServlet or (2) SchedulerService or (3) cause a denial of service (disk consumption) via the ContentManager.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.