A security researcher offers a peek at how botnet operators build million-dollar operations, as well as at a popular scheme they are using to remain elusive while banking profits.
Starting a career in cyber-crime operation is simple, but just how do attackers go about building a botnet into a multimillion dollar business?
During the Black Hat security conference in Las Vegas last week, Damballa Vice President of Research Gunter Ollmann gave attendees a behind-the-scenes view of how easily botnets can be built, and how attackers can turn a small network of infected computers into a million dollar operation.
"The biggest concern for botnet builders
lies with attribution-i.e., things that can be tracked directly back to the individual," he explained after the conference. "As such, budding botnet builders-at least those who have thought about things before tinkering-will focus on how to acquire free malware-building tools anonymously and how to use other free services to host critical infrastructure components."
The most-common process tends to be for builders to develop kit-based, botnet malware such as Zeus
, SpyEye and PoisonIvy
, and have the malware hosted on free Web services, he added.
"Many early-stage botnet builders utilize deception to trick their victims into installing the malware on their computers-but most eventually evolve into more sophisticated campaigns that involve fake Websites and Web browser exploitation," Ollmann said. "A key component in building botnets lies with the management of Domain Name System (DNS). As such, free Dynamic DNS providers are preferred service providers for botnet builders-especially when [the botnets] can be set up and managed anonymously."
From there, it's time to talk business plan. There are botnets
involved in spamming, rogue antivirus and other schemes. Today, however, the highest cash reward versus the likelihood of being noticed by law enforcement would be "identity laundering."
"Identity laundering is the process of taking all of the identity information observed on a botnet victim's machine, and laundering the information through gray-market and legitimate sites/services that pay for the information and resell [it] to legitimate companies," he said. "Through this laundering process, a botnet operator can turn a 0.1 cent record into 30 cents, and that information gets consumed by legitimate organizations. By making use of existing lead-affiliate programs [also known as "lead-generation" programs], it's possible to earn up to $20 per record. Most importantly, though, the likelihood of detection by the victims is practically nonexistent, and in many ways no financial fraud is being perpetuated."
Most botnets are run
by professional teams, who may be involved with multiple botnets at any one time, Ollmann said. Many of the botnets are around 2,000-strong, with those operating within enterprises being even smaller-typically having only a few hundred bots.
"That's not to say that the large named botnets-e.g., Koobface, Conficker, Bobax, etc.-don't also manage to penetrate enterprise networks and aren't large," he said. "These botnets can reach
the millions in size-but are only a tiny fraction of the botnet business. The vast majority of criminal botnet operators intentionally focus on avoiding detection, and size will get you noticed the quickest."
Managing a botnet is usually easy, especially if the botnet builder uses popular do-it-yourself construction kits, he added. These management consoles already come equipped with functionality to manage stolen identity information, coordinate and batch instructions to infected computers, as well as other capabilities.
"The tools are plentiful and, if they're not free, they're cheap," Ollmann said. "Even the most expensive, fully supported, cutting-edge, criminal do-it-yourself kits can be acquired for a few thousand dollars, with a lesser annual subscription-renewal fee. Given the sophistication of these kits, their capability of administering
hundreds of thousands of botnet victims, and their command-and-control infrastructure, many legitimate commercial cloud providers could probably learn from their tried-and-tested techniques."