Finjan Researchers Uncover Marketplace for Botnets

Researchers at Finjan outlined a sophisticated one-stop shop for cyber-criminals buying and trading in infected computers. Called Golden Cash, the network has been linked to the compromises of around 100,000 PCs and FTP credentials.

Researchers at Finjan have put the spotlight on a one-stop shop in the marketplace for malware-infected machines.

In Finjan's latest Cybercrime Intelligence Report for 2009, the company outlines the operations of the Golden Cash network, a one-stop shop trading platform for cyber-criminals trafficking in compromised PCs. While the sale of bots in the cyber-criminal underground is nothing new, the research shows the sophistication of the marketplace for compromised computers. Bringing together buyers and sellers of compromised PCs, Golden Cash is involved in every part of the process, from providing partners with attack toolkits to the actual sale and purchase of machines.

On the buyer side of things, batches of 1,000 malware-infected PCs can be purchased for between $5 and $100, depending on the territory/country. Partners are paid for successfully distributing the bot and collecting FTP credentials of legitimated Websites through the infected machines.

Finjan analyzed the affiliate network for two months and linked it to the compromises of around 100,000 PCs and FTP credentials. The company spotted around a few dozen people using the platform, which researchers believe may be the work of the RBN (Russian Business Network).

"We believe they attempted to compromise at least 1 million PCs to get the 100,000 accounts," Finjan CTO Yuval Ben-Itzhak explained in an interview with eWEEK. "One of the servers in use is hosted in Russia. ... The group is also associated with the SEO poisoning attacks Finjan reported on [in] the previous CI [Cybercrime Intelligence] report we issued."

Once an attacker infects a computer, the malware reports back to the Golden Cash Server and the attacker's account is credited. The first instruction sent to the infected user's machine is to install an FTP grabber to steal FTP credentials. The compromised machines are then put up for sale.

More technical information about the infection is available on the Finjan MCRC blog.