Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/20/2009
04:13 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Botmaster: It's All About Infecting, Selling Big Batches of Bots

Undercover Cisco researcher told the going rate for a single bot is 10- to 25 cents

Researchers at Cisco recently got a rare glimpse of the inner workings of the botnet underworld after going undercover and meeting an actual botmaster online: the botmaster, who ran a botnet that had infected dozens of machines at a Cisco customer site, said his main job is to compromise a few thousand machines and then sell them off in bulk.

He told a Cisco researcher posing as a fellow botmaster that the market rate for a bot is between 10 cents to 25 cents per machine, and that he recently made $800 off of a sale of 10,000 bots.

But that rate is likely a moving target, says Joe Dallatore, senior manager in Cisco's security research and operations group. "At this point we have a snapshot [in time]" of the botnet market rate, Dallatore says. "There is an economy for these things, and it changes over time this is a form of commerce, with supply and demand."

And the botmaster isn't out to perform identity theft -- just bot-brokering. "He was not in the business of using information [on the bots]. Just in creating bots and selling them to someone else," Dallatore says.

Cisco decided to go undercover and learn more about the botnet market after cleaning up infected machines at their customer's site. "This gave us an opportunity to learn what motivated" the botmaster, Dallatore says.

Posing as a botmaster -- and later a security reporter -- a Cisco researcher engaged in an IRC chat conversation with the botmaster, and later, several MSN chat sessions over a period of months.

The botmaster told the undercover researcher that he didn't focus on exploiting vulnerabilities when going after prospective bots. Instead, he mostly used social engineering via instant messages. He can spam 10,000 users with a lure like a "check this out"-type link and get a one percent or better response rate, he said.

He also said he knew someone who made $5,000 to $10,000 per week through phishing attacks.

The botmaster also shed light on the dog-eat-dog world of cybercrime. He said he once used a stolen account and impersonated a law enforcement official in order to chase another botmaster away from his 6,000 node botnet. And there are different levels of expertise in the bot world, too: only 20 percent of botmasters actually understand the bot code they get via online forums, and about three- to five percent write their own botnet code, he said.

He also pointed the undercover researcher to a massive botnet forum that included discussions, source code, botnet supplies such as file hosting accounts, packers, password lists, and password stealers.

"Anyone with basic computer experience is able to run a botnet. It is not necessary to understand the code, nor is there a need to understand networking," according to a report by Cisco on the botmaster conversations.

Although the researchers learned via some outside research that the botmaster they were communicating with was a prolific author of IRC-based botnet software and was well-known among the underground, his botnet had a hole. Cisco was able to block his bot update servers because they had been left unprotected. He didn't bother encrypting botnet traffic, either.

Cisco's Dallatore says his researchers' revealing communications with the botmaster should serve as a warning to enterprises that their computing resources are valuable to the bad guys. "It's important for enterprises to do what they can to prevent becoming an inadvertent engine in someone else's commerce," he says. "And they may be traced back as a source of an attack."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20907
PUBLISHED: 2020-07-13
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
CVE-2020-14174
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5....
CVE-2019-20901
PUBLISHED: 2020-07-13
The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter.
CVE-2019-20898
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.
CVE-2019-20899
PUBLISHED: 2020-07-13
The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.