Botnet hunters tracking the latest MS06-040 worm attack estimate that one malicious hacker earned about $430 in a single day by installing spyware programs on thousands of commandeered Windows machines.
Security researchers are the German Honeynet Project discovered a direct link between the botnet-building attack and DollarRevenue, a company that pays between a penny and 30 cents per installation of its heavily criticized ad-serving software.
Within 24 hours, the IRC-controlled botnet hijacked more than 7,700 machines via the Windows Server Service vulnerability and hosed the infected computers with the noxious DollarRevenue files.
During a four-day stretch, researchers at the Manheimm, Germany, honeynet project counted about 9,700 infections from a single command-and-control center and calculated that the attacker was making hundreds of dollars a day in commissions from DollarRevenue alone.
"This is a lucrative business," said Thorsten Holz, a project founder who spends much of his life monitoring botnets. "Hes earning more than $430 in a single day with DollarRevenue, and thats not the only piece of adware hes installing. Hes installing others and also renting his botnet out to spammers," Holz said in an interview with eWEEK.
DollarRevenue describes itself as "one of the best pay-per-install affiliate programs on the Internet," offering Web site owners "an alternative to traditional advertising methods." The company offers a per-installation commission every time one of its programs is downloaded onto a computer, going as far as encouraging installs via ActiveX pop-up windows or bundled executables within third-party software.
The payouts vary according to the location of the infected computer. For example, an adware installation in China only pays a penny, while an executable loaded on a PC in the United States or Canada pays between 20 cents and 30 cents, according to information posted on the DollarRevenue Web site.
In this case, Holz counted 998 installations in the United States, 20 installations in Canada, 103 in the United Kingdom, 756 in China and about 5,800 in other countries.
Anti-virus vendor Sunbelt Software, in Clearwater, Fla., describes DollarRevenues software as "high-risk threats" that are typically installed without user interaction via security exploits.
Using a network of machines set up with intentional vulnerabilities to lure and trap Internet attackers, Holzs honeynet project was able to monitor the instructions being sent by the botnet controller to thousands of compromised computers.
Holz explained that a main IRC channel is being used to dispatch all incoming bots to join four different channels. The first sends instructions to propagate further by scanning for other vulnerable Windows machines. The second channel installs adware on all the machines, and a third was set up especially for the DollarRevenue installations.
A fourth channel was used to install an additional binary on all bots. This is believed to be a spam proxy that can be rented out to spammers. "This is a lucrative business. Hes using this botnet to make big money," Holz said.