Botnet for Sale Business Going Strong, Security Researchers Say

The group behind an attack on Twitter last year is now in the botnet-renting business - a racket security pros say can be very profitable.

From spamming to harvesting data, botnets are a hot commodity for attackers. But as the Iranian Cyber Army's decision to sell access to its botnet shows, hawking access to compromised computers can be profitable too.

The price of a botnet depends on a number of factors. The first is size, noted Imperva Senior Security Strategist Noa Bar Yosef. Beyond that, it often depends on what type of attack is being planned, the length of the attack, the target and its geo-location.

"Although a rental is based on a multitude of factors as stated above, to give some ballpark figures," she said, "a 24-hour DDoS [distributed denial of service] attack can be anything from a mere $50 to several thousand dollars for a larger network attack. Spamming a million e-mails, given a list, ranges [from] $150 to $200. ... A monthly membership for phishing sites is roughly $2,000."

Researchers at Damballa said the company has seen the 24-hour rental of 100,000-strong botnets cost $50 to $200 for a DDoS attack. Symantec, meanwhile, reported its researchers recently found an advertisement for the "Eleonor" botnet with an even lower price tag-just $40 a day, though it was not clear what the buyer would be getting for that.

The Iranian Cyber Army (ICA) was in the spotlight last year when the group launched an attack on Twitter in December 2009 that redirected roughly 80 percent of the site's traffic. The group also attacked the Chinese search engine Baidu. According to Seculert, in September the Website of TechCrunch Europe was hacked after attackers installed a page that redirects the blog's readers to a crime server that then executed a script and installed malware. The crime server was using an exploit kit tied to the group, Seculert reported.

These days the cyber-crew appears to be leasing part of its botnet to other groups that then install different types of malware on the machines, such as Bredolab and Zeus, Seculert said. To Bar Yosef, it is not all that surprising.

"Cyber-criminals, just like real-life criminals, seek for different sources of revenue," she explained. "Botnet growers are continuously advertising their services. What is interesting in the case of ICA is that they were the ones performing the attack. From their point of view, most of their attacks were politically motivated. But they seem to have asked themselves: Why can't we make extra on the side with our infrastructure?"

From the standpoint of security, the prospect of botnets-for-sale does not really change much for vendors. Taking down one group may work temporarily, but there is usually another group that will take its place, noted Marc Fossi, manager of research and development for Symantec Security Response.

"A botnet grower has a large number of computers under his control," Bar Yosef said. "He rents a certain amount of these zombies for different purposes. Each of these rentals together provide[s] a botnet. So botnets range is size, but ultimately it can be sourced to the grower. So criminals are not selling portions of their botnet; rather they are renting portions of the computers under their controls according to the needs and requirements of the attack requestor."

In the cyber-underground, botnet victims are a form of currency, Gunter Ollmann, vice president of research at Damballa, told eWEEK. A particular management tool may cost $500 to purchase but could be traded for 4,000 bot victims in the U.K., for example. The hurdles to building a botnet are so low now "any man and his dog can get started in this business," he said.

"The build-to-sell model for botnets is the most common model, and there are hundreds of professional operators that exist purely to supply this market," he said. "Similarly, there's a whole ecosystem around building fast-growing botnets. ... The buying and selling of botnets [or portions of botnets] make it more difficult to track. However, by monitoring the command and control infrastructure of the botnet, it's normally fairly easy to provide attribution to a particular criminal botnet operator.

"At the end of the day, knowing who the operator is and what they use their botnets for is most important in understanding the threat they really represent," he added.