Botnet Business Continues to Thrive: Fortinet

New research from Fortinet says that while takedowns are having an impact, running botnets is a relatively inexpensive business.

Botnet takedowns and the occasional arrest have made the cost of doing business a bit higher for cyber-criminals. However, there is some good news for the cyber-underground: The cost of actually running their businesses is relatively cheap.

According to research into the botnet market by security firm Fortinet, getting a "botnet up and running costs next to nothing," and those needing help can hire botnet consultants for as little as $350 to $400.

"There are affiliate networks known as pay-per-install (PPI) networks that exist to infect computers online and create a botnet from the ground up," the report noted. "These networks require only the number of infected systems wanted and the botnet software, and the affiliate network will take care of the rest.

"Again, the cost is nominal—typical PPI networks charge around $100 per 1,000 installations," the report said. "Infections in areas such as North America, the European Union and Australia, however, typically command a premium price over infections in Asia and Eastern Europe.

"For the truly 'hands-off' criminal business owner (or for those who find managing a botnet is simply too much work), one can rent a botnet for criminal activity. Typical costs associated with botnet rental include $535 for five hours per day of DDoS [distributed denial-of-service] attacks per week, $40 for 20,000 spam emails and $2 for 30 online forum and comment spam posts," the report said.

According to Fortinet, the top five pieces of botnet malware detected in the wild today are ZeroAccess, Jeefo, Smoke, Mariposa and Grum (Tedroo). The Grum botnet was shut down in July 2012, and the master command-and-control for Mariposa was dismantled a few years ago. Still, the malware tied to those botnets continues to spread, signaling that in some cases, old threats are slow to die off. But the most prevalent botnet malware of today belongs to ZeroAccess.

"ZeroAccess is a great example of something new that has likely been very financially successful for its creators," said Richard Henderson, security strategist and threat researcher for FortiGuard Labs of Fortinet. "[Its] main raison d'etre is to mine bitcoin for its owners. FortiGuard has been monitoring ZeroAccess infections for quite some time, and we're seeing linear growth of infections on the scale of about 100,000 new IPs showing infections weekly."

Right now, there may be as many as 2 million active ZeroAccess infections out there mining for bitcoins, he said.

"The typical affiliate earns about $100 per 1,000 infected hosts … [but] the owners of this botnet are so confident in their ability to generate revenue from their victims that they are paying affiliates five times the going rate for infections—$500 per 1,000 infections," said Henderson. "This implies that the people behind ZeroAccess are making a lot of money and have the capital to prepay affiliates to provide new victims."

Jeefo and Smoke are relatively new to the botnet scene, and are believed by Fortinet to have first appeared last year. According to Fortinet, Jeefo started out as a parasitic file infector virus in 2007. In 2013, Fortinet's FortiGuard Labs observed a spike in infections, and new evidence suggests the virus evolved into a full-featured peer-to-peer botnet.

While botnets continue to plague PCs, botnet malware is targeting mobile devices as well, such as Zitmo, TigerBot and Claco. The main target for these threats is Google Android due to the "openness" of the platform, Henderson said, though Symbian is a target as well.

"Mobile botnets have monetized themselves in ways that now parallel that of desktop malware," he said. "While there are still pieces of malware out there that do things like send hidden fraudulent premium SMS [Short Message Service texts], the evolution of Zitmo and other mobile malware have now moved into credential and log-in theft in order to facilitate financial fraud; the push over the past couple of years to empower customers to implement mobile banking has given mobile malware authors another vector of infection in order to siphon money out of bank accounts."

This evolution is likely to continue to other avenues such as fake antivirus products and ransomware, he added.

"I don't believe there would be any surprise to see a mobile ransomware that seizes control of your phone, encrypts the contents of your storage—pictures, email, music, etc.—and holds it for ransom until a 'fine' has been paid to the owners of the malware," he said. "It's been a very lucrative model for the desktop, [and] extending that into the mobile space is an obvious evolution of that threat."