Botnet hunters tracking the latest MS06-040 worm attack estimate that one malicious hacker earned about $430 in a single day by installing spyware programs on thousands of commandeered Windows machines.
Security researchers are the German Honeynet Project discovered a direct link between the botnet-building attack and DollarRevenue, a company that pays between a penny and 30 cents per installation of its heavily criticized ad-serving software.
Within 24 hours, the IRC-controlled botnet hijacked more than 7,700 machines via the Windows Server Service vulnerability and hosed the infected computers with the noxious DollarRevenue files.
During a four-day stretch, researchers at the Manheimm, Germany, honeynet project counted about 9,700 infections from a single command-and-control center and calculated that the attacker was making hundreds of dollars a day in commissions from DollarRevenue alone.
“This is a lucrative business,” said Thorsten Holz, a project founder who spends much of his life monitoring botnets. “Hes earning more than $430 in a single day with DollarRevenue, and thats not the only piece of adware hes installing. Hes installing others and also renting his botnet out to spammers,” Holz said in an interview with eWEEK.
DollarRevenue describes itself as “one of the best pay-per-install affiliate programs on the Internet,” offering Web site owners “an alternative to traditional advertising methods.” The company offers a per-installation commission every time one of its programs is downloaded onto a computer, going as far as encouraging installs via ActiveX pop-up windows or bundled executables within third-party software.
The payouts vary according to the location of the infected computer. For example, an adware installation in China only pays a penny, while an executable loaded on a PC in the United States or Canada pays between 20 cents and 30 cents, according to information posted on the DollarRevenue Web site.
In this case, Holz counted 998 installations in the United States, 20 installations in Canada, 103 in the United Kingdom, 756 in China and about 5,800 in other countries.
Anti-virus vendor Sunbelt Software, in Clearwater, Fla., describes DollarRevenues software as “high-risk threats” that are typically installed without user interaction via security exploits.
Using a network of machines set up with intentional vulnerabilities to lure and trap Internet attackers, Holzs honeynet project was able to monitor the instructions being sent by the botnet controller to thousands of compromised computers.
Holz explained that a main IRC channel is being used to dispatch all incoming bots to join four different channels. The first sends instructions to propagate further by scanning for other vulnerable Windows machines. The second channel installs adware on all the machines, and a third was set up especially for the DollarRevenue installations.
A fourth channel was used to install an additional binary on all bots. This is believed to be a spam proxy that can be rented out to spammers. “This is a lucrative business. Hes using this botnet to make big money,” Holz said.
Next Page: Infiltrating a botnet command-and-control center.
Page 2
In early August, researchers at LURHQs Threat Intelligence Group were able to infiltrate a botnet command-and-control center linked to the latest wave of attacks and found a sophisticated spam operation that included the use of a proxy Trojan, forged e-mail addresses and botnet drones.
Holz said some botnets have also been used to install keyloggers and other malware files to steal personal data from an infected users browser. “Adware installs are the most lucrative but once a herder has a few thousand machines under control, he can sit back and make a lot of money,” he said.
Holzs team has seen botnets that control between 10,000 and 25,000 compromised computers, and he says high-profile flaws in widely used applications are “quickly turned into exploits.”
“Its pretty standard to see about 7,000 infections per day whenever theres a new exploit. They [bot herders] keep the size of the botnets low on purpose to avoid too much noise,” he said.
“In this case with the DollarRevenue installations, the owner compromised about 33,000 machines in five days. On the fifth day, he changed the command-and-control server and moved right along,” Holz said.
The command-and-control infrastructure is most often an IRC server installed illegally on a high-bandwidth educational or corporate network. A botnet (short for “robot network”) is a collection of broadband-enabled computers infected with worms and Trojans that leave back doors open for communication with the malicious attacker.
Michael Sutton, a security evangelist at Atlanta-based SPI Dynamics, said Holzs findings are an accurate reflection of the severity of the botnet problem. “These botnets give attackers tools to do a lot of different things. The goal is to control bandwidth and CPU cycles to make money,” Sutton said in an interview with eWEEK.
Sutton, a well-known security researcher who previously worked as director of Verisign-owned iDefense Labs, said botnet-related crime is a “billion-dollar business.”
“On one side, you have these big advertisers pumping money into the adware business,” he said. “On the other side, you have these shady companies with shady affiliate deals, cashing in. Ive seen reliable estimates that the business of serving ads via adware is worth $1.6 billion a year. Thats a phenomenal industry.”
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.