Have a plan to steal millions from banks and their customers but can't write a line of code? Want to get rich quick off advertising click fraud but "quick" doesn't include time to learn how to do it? No problem. Everything you need to start a life of cybercrime is just a few clicks (and many more dollars) away.
Building successful malware is an expensive business. It involves putting together teams of developers, coordinating an army of fraudsters to convert ill-gotten gains to hard currency without pointing a digital arrow right back to you. So the biggest names in financial botnets—Zeus, Carberp, Citadel, and SpyEye, to name a few—have all at one point or another decided to shift gears from fraud rings to crimeware vendors, selling their wares to whoever can afford them.
In the process, these big botnet platforms have created a whole ecosystem of software and services in an underground market catering to criminals without the skills to build it themselves. As a result, the tools and techniques used by last years' big professional bank fraud operations, such as the "Operation High Roller" botnet that netted over $70 million last summer, are available off-the-shelf on the Internet. They even come with full technical support to help you get up and running.
The customers of these services often plan more for the short term than the long game played by the big cyber-crime rings. They have very different goals. Botnet infrastructures can be applied in lots of ways for different sorts of profit—cash, information, or political gain. There are many ways to make money off botnets beyond outright theft, such as using them to steal advertising clicks, generate spam e-mails for a paying client, or renting out bots for denial-of-service attacks. And the same basic principles used to distribute botnets have been creeping up in more targeted attacks to steal intellectual property or to spread the malware used in the recent "wiper" attack on South Korean banks and broadcasters.
So how easy is it to get into the botnet business? Well, Ars decided to find out. Given the surprising availability of botnet building blocks online, I set out to build a shopping list to understand how everything is bought and sold within this black market. It all started with checking sources through a few Web searches then making trips into Web forums I dared visit only with a virtual machine and Google Translator's help. All I had to do was paste in "botnet" in Cyrillic, and I was on my way down the rabbit hole.
To assemble your list for some of the simplest get-rich-quick schemes, all you need is about $600, a little spare time, and no compunctions about breaking laws to make a profit. I didn't deploy an Ars-enal of botnet destruction in the end, but I absolutely could have. That may be the scariest lesson here.
It looks like you’re trying to build a botnet…
There are no personal shoppers to help walk you through the underground marketplaces to identify what fits a particular criminal scheme—though there may be plenty of people willing to give you paid advice on how to get started. With absolutely no budget for bitcoins, I got my start with some help from Max Goncharov, a security researcher for Trend Micro who specializes in following the Russian underground marketplaces for online fraud services. Goncharov came to Washington, DC in late March for a Trend Micro press briefing, and he laid out some of the basic things that go into a beginner fraudster's software and services shopping cart: botnets, malware-spreading tools, and hacking for hire. (Goncharov detailed some of these services in a paper published late last year and presented during this press road show.) Goncharov's suggested setup came with a $595 price tag for the first month of operations and a monthly cost of $225 to sustain the operation.
Of course, that price is for a particular type of botnet. It isn't representative of everything that's running wild on the Internet today. It also assumes total noob-hood. For those seeking to do something a little less overtly criminal than stealing credit card numbers or committing wire fraud, there are less expensive options. With a little sweat equity, you can pull off a workable botnet for a fraction of that price. If you're willing to try it without the benefits that come from paying professionals—like software updates, monitoring services, and 24/7 technical support—you can cut the cost back even further.
With my rough estimate in place, it was time to actually start some research of my own. Hello overseas VPN connection, Google Translator, and Google.ru—time for the underground hacker marketplace.
The marketplace of (bad) ideas
The "underground" forums do more than just give would-be criminals access to a level of service that might make some enterprise software companies look bad. They also act as a sort of hiring hall for people with very specific skills (like hacking webmail accounts) or botnets of their own ready to do a paying customer's bidding. On these barely underground sites, hacker wares are made available to anyone willing to pay. Current versions of Zeus and SpyEye botnet software are for sale, or you can find the last version cracked by someone for cheap or free.
Many of the sites run under the thin veneer of "security" discussion boards. But they're often paid for by advertisements for the tools sought by a certain class of cyber-criminal: botnet-herders and the service provider ecosystem that has sprung up around them. These are largely the small and medium businesses of cybercrime, following a well-worn approach to making money. If you cast a big enough net, you're bound to catch some fish.
The botnet herders' standard business plan is to "use exploit kits, and then run a phishing campaign or some sort of campaign against massive numbers of people with hopes that someone is going to click on a link and get the exploit to drop a botnet or banking trojan onto their machine," said Nicholas J. Percoco, senior vice-president of Trustwave and head of the company's SpiderLabs penetration testing and security research team. "Once they've done that, it goes down the path of them monitoring them when they do banking transactions, or the botnet may be involved in spam or distributed denial of service attacks. Or maybe it's a sort of Swiss Army knife botnet that can do many different things depending on what that botnet herder decides, or what he makes it available to do for people who want to utilize his or her botnet."
No matter what the racket, Percoco told Ars, the equation for botnet herders is the same. "From a criminal's perspective, they're looking at massive numbers of attacks to achieve their financial goals."
They're also looking at massive turnover. When a piece of malware like a botnet lands on thousands of PCs, "it may hit the radar of an antivirus company pretty quickly," Percoco noted. That means time and money spent on finding new victims, deploying patches and updates, paying for new exploits, and generally continuing the game of "whack-a-mole" with antivirus companies and other organizations—as the mole.
reader comments
62