How's that for affordable? In fact, that's the problem where APTs are concerned. According to remarks made by Bestuzhev at a recent press event, building a good botnet requires an initial investment of only about $5,000, at least for a do-it-yourself approach.
Here's how to build a botnet: First, spend $750 on average to buy a top-notch malware toolkit, such as SpyEye. Or upgrade to the Phoenix exploit kit 2.4 ($2,200) or BlakHole Exploit Pack ($1,550) for even more automated attacks. Next, spend $480 per year to subscribe to a site such as Virtest.com, which tests whether the malware you've built can be detected by current scanners. Also contract with a bullet-proof hosting service -- a really good one will set you back $3,600 per year -- for storing malicious code as well as purloined data. Finally, pick a good phishing pack -- these are free -- to ferry your malware via e-mail to unsuspecting victims.
What if you don't have time for DIY? Good news: "There's another service available called 'pay per install,'" said Bestuzhev. In this scenario, you contract with other criminals to install malware on PCs for you. Rates for 1,000 installations (zombies) vary by country, from an average of $20 in the Netherlands to $150 in the United States (thanks to its residents using more credit cards per capita). "So, building a 30,000-bot, high-quality botnet can cost you $27,000," he said.
For hackers with coding chops, there's an even cheaper and more direct option: Knock off an existing botnet by taking control and locking out the current owners. Bestuzhev says this tactic isn't uncommon.
But the bigger issue is that criminals without computer savvy -- even penny stock price manipulators who previously relied on phone and fax boiler rooms -- have easy access to botnets, either directly or through intermediaries with affordable rates. As a result, anyone can launch millions of spam e-mails, mass infection campaigns, and spear-phishing attacks, using the latest malware plus APTs to bypass many defenses.
Accordingly, let's dub ATP the "new normal" in security attacks. Because as Bestuzhev describes the problem, using a popular Russian phrase: "You have money? You don't need brain."
- SecurID Customers Advised To Prepare For Worst Case
- Feds Bust Stock 'Pump And Dump' Botnet Scheme
- Microsoft, Feds Knock Rustock Botnet Offline
- Hospital Hacker 'GhostExodus' Sentenced To 9 Years
- Schwartz On Security: Security Complexity Challenge No. 1
- Schwartz On Security: Security Pros' Top 2011 Threats
- See more by Mathew J. Schwartz