Money Bots: Hackers Cash In

Research group details how lucrative PC hijacking can be

Botnet hunters tracking the latest MS06-040 worm attack estimate that one malicious hacker earned about $430 in a single day by installing spyware programs on thousands of commandeered Windows machines.

Security researchers at the German Honeynet Project discovered a direct link between the botnet-building attack and DollarRevenue, a company that pays between 1 and 30 cents per installation of its heavily criticized ad-serving software.

Within 24 hours, the IRC (Internet Relay Chat)-controlled botnet hijacked more than 7,700 machines via the Windows Server Service vulnerability and hosed the infected computers with the noxious DollarRevenue files. A botnet (short for "robot network") is a collection of broadband-enabled computers infected with worms and Trojans that leave back doors open for communication with the malicious attacker.

During a four-day stretch, researchers at the German Honeynet Project, in Manheimm, Germany, counted about 9,700 infections from a single command and control center and calculated that the attacker was making hundreds of dollars a day in commissions from DollarRevenue alone.

"This is a lucrative business," said Thorsten Holz, a project founder who monitors botnets. "[The attacker is] earning more than $430 in a single day with DollarRevenue, and thats not the only piece of adware hes installing. Hes installing others and also renting his botnet out to spammers," said Holz.

DollarRevenue describes itself as "one of the best pay-per-install affiliate programs on the Internet," offering Web site owners "an alternative to traditional advertising methods." The company offers a per-installation commission every time one of its programs is downloaded onto a computer, going as far as encouraging installs via ActiveX pop-up windows or bundled executables within third-party software.

The payouts vary according to the location of the infected computer. For example, an adware installation in China pays only a penny, while an executable loaded on a PC in the United States or Canada pays between 20 and 30 cents, according to information posted on the DollarRevenue Web site.

In this case, Holz counted 998 installations in the United States, 20 installations in Canada, 103 in the United Kingdom, 756 in China and about 5,800 in other countries.

Anti-virus vendor Sunbelt Software, in Clearwater, Fla., describes Dollar-Revenues software as "high-risk threats" that are typically installed without user interaction via security exploits.

Using a network of machines set up with intentional vulnerabilities to lure and trap Internet attackers, Holzs Honeynet Project was able to monitor the instructions being sent by the botnet controller to thousands of compromised computers.

In early August, researchers at Lurhqs Threat Intelligence Group were able to infiltrate a botnet command and control center linked to the latest wave of attacks and found a sophisticated spam operation that included the use of a proxy Trojan, forged e-mail addresses and botnet drones.

Holzs team has seen botnets that control between 10,000 and 25,000 compromised computers, and he said high-profile flaws in widely used applications are "quickly turned into exploits."

Michael Sutton, a security evangelist for Atlanta-based SPI Dynamics, said Holzs findings are an accurate reflection of the severity of the botnet problem. "These botnets give attackers tools to do a lot of different things. The goal is to control bandwidth and CPU cycles to make money," said Sutton.

Money Bots by the Numbers


Machines compromised in five days by DollarRevenue

1 to 30 cents

Amount DollarRevenue pays for an adware installation


Approximate number of new infections from one command and control center in four days

Source: German Honeynet Project