The Profit Motive

By Ryan Naraine  |  Posted 2006-10-16 Print this article Print

The Profit Motive

The Mocbot worm attack in September provides the clearest evidence yet of the money that can be made from well-stocked botnets.
During the attack, which exploited a Windows Server Service vulnerability, security researchers at the German Honey-net Project discovered that hijacked PCs were being used to install ad-serving software from DollarRevenue, a company that pays between a penny and 30 cents per installation.

Within 24 hours, the IRC-controlled botnet seized control of more than 7,700 machines. During a four-day stretch, the researchers counted about 9,700 infections from a single command-and-control center and calculated that the attacker earned about $430 in commissions from DollarRevenue alone.

According to Stewart, the majority of botnet activity is linked to spam runs and ID theft phishing attacks. The typical bot gets installed in thousands of machines and starts harvesting e-mail addresses stored on hard drives. It then installs and opens a generic SOCKS proxy to send massive amounts of spam.

In most cases, the bot herders rent the botnets to spammers, but Stewart and others have seen evidence of crime rings operating for-profit botnets. These can be used for extortion (DDoS, or distributed DoS, attacks), traffic sniffing to steal clear-text data passing through a hijacked machine, keystroke logging to steal banking credentials, fraudulent clicks on contextual ad networks, and even the manipulation of online polls and games.

Randal Vaughn, professor of computer information systems at Baylor Universitys Hankamer School of Business, in Waco, Texas, remains optimistic, despite a laundry list of weak links that include nontechnical computer users, law enforcement and botnet mitigation technologies.

"When you have an international problem, law enforcement organizations cant cope. They simply dont have the resources to deal with the magnitude of the botnet problem. Theyre very involved, and they do take it seriously, but its very difficult for someone in the United States to coordinate with a law enforcement agency in Russia or China. I dont think well ever achieve mitigation in certain geographic areas," Vaughn said in an interview.

Another big spoke in the wheel is the approach of smaller ISPs to deal with customers infected machines. "Theres no economic incentive for an ISP to sit on the phone for an hour and a half to help a customer get [his or her machine] disinfected. The cost of that is more than the subscription cost," said Stewart. That fact, coupled with the large percentage of computer users running Windows versions without up-to-date patches, creates an environment thats ripe for abuse.

"We need to give ISPs better tools to deal with the problem. Its just not economically feasible to do manual remediation with customers," Stewart said. Stewart plans to propose a community effort to create a free tool to help automate the removal of bots from an ISPs network.

Several security vendors have started shipping anti-botnet products. In September, Trend Micro released InterCloud Security Service, a new service that provides botnet mitigation technology to ISPs, universities and other large network providers. InterCloud is capable of identifying zombie drones on a network and provides an automated remediation solution to stop them in real time.

Damballa, a stealth-mode startup with links to the College of Computing at the Georgia Institute of Technology, has raised venture capital funding to create technology that promises to pinpoint Internet traffic generated by zombie drones.

But, for now, the drones are winning.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel