The group behind an attack on Twitter last year is now in the botnet-renting business - a racket security pros say can be very profitable.
From spamming to harvesting data, botnets are a hot commodity for
attackers. But as the Iranian Cyber Army's decision to sell access to its
botnet shows, hawking access to compromised computers can be
price of a botnet
depends on a number of factors. The first is size, noted
Imperva Senior Security Strategist Noa Bar Yosef. Beyond that, it often depends
on what type of attack is being planned, the length of the attack, the
target and its geo-location.
"Although a rental is based on a multitude of factors as stated above,
to give some ballpark figures," she said, "a 24-hour DDoS
[distributed denial of service] attack can be anything from a mere $50 to
several thousand dollars for a larger network attack. Spamming a million e-mails,
given a list, ranges [from] $150 to $200. ... A monthly membership for phishing
sites is roughly $2,000."
Researchers at Damballa said the company has seen the 24-hour rental of 100,000-strong
botnets cost $50 to $200 for a DDoS attack. Symantec, meanwhile, reported its
researchers recently found an advertisement for the "Eleonor" botnet
with an even lower price tag-just $40 a day, though it was not clear what the
buyer would be getting for that.
The Iranian Cyber Army (ICA) was in the
spotlight last year when the group launched an attack on Twitter
in December 2009
that redirected roughly 80 percent of the site's traffic.
The group also attacked the Chinese search engine Baidu. According
, in September the Website of TechCrunch Europe was hacked after
attackers installed a page that redirects the blog's readers to a crime server
that then executed a script and installed malware. The crime server was using
an exploit kit tied to the group, Seculert reported.
These days the cyber-crew appears to be leasing part of its botnet to other
groups that then install different types of malware on the machines, such
as Bredolab and Zeus, Seculert said. To Bar Yosef, it is not all that
"Cyber-criminals, just like real-life criminals, seek for different
sources of revenue," she explained. "Botnet growers are continuously
advertising their services. What is interesting in the case of ICA
is that they were the ones performing the attack. From their point of view,
most of their attacks were politically motivated. But they seem to have asked
themselves: Why can't we make extra on the side with our infrastructure?"
From the standpoint of security, the prospect of botnets-for-sale does not
much for vendors
. Taking down one group may work temporarily, but there is
usually another group that will take its place, noted Marc Fossi, manager of
research and development for Symantec Security Response.
"A botnet grower has a large number of computers under his control,"
Bar Yosef said. "He rents a certain amount of these zombies for different
purposes. Each of these rentals together provide[s] a botnet. So botnets range
is size, but ultimately it can be sourced to the grower. So criminals are not
selling portions of their botnet; rather they are renting portions of the
computers under their controls according to the needs and requirements of the
In the cyber-underground, botnet victims are a form of currency, Gunter
Ollmann, vice president of research at Damballa, told eWEEK. A particular
management tool may cost $500 to purchase but could be traded for 4,000
bot victims in the U.K.,
for example. The hurdles to building a botnet are so low now "any man and
his dog can get started in this business," he said.
"The build-to-sell model for botnets is the most common model, and
there are hundreds of professional operators that exist purely to supply this
market," he said. "Similarly, there's a whole ecosystem around
building fast-growing botnets. ... The buying and selling of botnets [or portions
of botnets] make it more difficult to track. However, by monitoring the command
and control infrastructure of the botnet, it's normally fairly easy to provide
attribution to a particular criminal botnet operator.
"At the end of the day, knowing who the operator is and what they use
their botnets for is most important in understanding the threat they really
represent," he added.