Jose Nazario, a senior security researcher at Arbor Networks, recently said to me, "It takes them a little while to figure out everything they can do, like walk into these markets and learn how to sell, how to bid, how to lease access to these things." He wasn't talking about some basic Business 101 observations; he was talking about the business of operating an online botnet today and the well-organized criminals that are profiting by owning several thousand compromised computers worldwide. Nazario, who has been using the term "botconomics," says there's "an emerging underground economy, the botnet economy. The botconomics are driving entry into the botnet world." In other words, it's money--and lots of it-- that's responsible for the rapid rise in botnets in recent months. But, as with any legitimate small business, the chances of success depend on your ability to navigate various obstacles.
Like any social order, there's been some consolidation of bot-herders and botnets at the top. Very large, very focused botnets typically involve spamming because there is so much money in spam. Some also harvest e-mail addresses and set up their own phishing Web sites. They make most of the online underground's profit. Nazario says "A lot of folks look at the top and say 'I want to be there, I want to make all this money, so I'm going to get into this.'"
Access to a particular computer deep inside the government or in the military is very interesting to some criminals, since these can be used to penetrate networks behind the perimeter.
Nazario thinks that in recent years the barriers to entry have been lowered. "Years ago, it used to be you had to know how to write code...you had to do so many things on your own." Now, a lot of the code is bought and sold on online markets, and if you still don't know how to put one together, there a lot of mentors in this space as well. "It doesn't take a lot of technical skill," says Nazario. There's an online community available to those who earn the trust and reputation, usually demonstrated by getting a certain quantity of stolen credit cards, bandwidth, or e-mail addresses, and slowly building your street cred. "It's a very complex underworld that mirrors the typical, physical underworld as well as parts of society over all," says Nazario.
Getting infected just got easier
There are a number of ways that your PC can become infected--not just through e-mail or infected Web sites. While drive-by downloads are currently very common, instant messengers are also popular. Chris Boyd, director of malware research at Facetime Security Labs, recently reported a Skype worm that could infect users of various IM clients (AOL, Yahoo, MSN, Trillian). While this particular worm didn't include a bot, other IM worms might.
"It's a very complex underworld that mirrors the typical, physical underworld as well as parts of society over all," says Nazario.
"The big problem," says Boyd, "is that a lot of users will see a potentially malicious link appear in their chat program and will think that it's supposed to be there, even if they know it wasn't sent by a friend. I've seen people say they thought it was an advert, or they thought it was something generated by the program itself."
A virtual chop shop
Nazario says once a machine is infected, it's then a matter of selling the data within the underground. "A colleague of mine, Danny McPhearson, has likened [botnets] to a large scale auto chop shop. You steal a fleet of cars that people own, you've maybe got someone's wallet, someone's purse, you've got their stereo, the battery, the tires, the car itself, and all these different components of it."
Nazario says using remote-access Trojans or bots, criminals are harvesting Outlook address books for spammers, selling the compromised computer's bandwidth, selling the disk space to host illegal files in what they call a "bullet-proof" hosting network. "There are dozens of other resources on this computer that [they] can now monetize," he says of the criminals. And you don't have to do it all by yourself, you can rent it out. Access to a particular computer deep inside the government or in the military is very interesting to some criminals, since these can be used to penetrate networks behind the perimeter.
In early 2006, the FBI arrested Jeanson James Ancheta, a then-20-year-old Southern Californian who, among other crimes, ran a business of renting out his botnets. When a bot-herder rents, however, he or she doesn't necessarily give you full access. "You get file space," says Nazario, "you get Web interface, but you can't necessarily knock their bot off." Of course, being a renter is also risky. "If you lease part of a botnet, the guy could basically dupe you and hijack part of your botnet--even the whole botnet." He says the number of machines you personally control is far more important than the overall number in your botnet.
Often, though, there are legitimate reasons to rent, such as avoiding the administrative overhead. "Much more commonly," says Nazario, "they're trying to establish a buffer between themselves and the actions that they've taken, whether it be spamming, DDoSing or whatever."
Next week, in part II, I'll discuss the new things criminals are doing with their "bulletproof" networks to make the big bucks, and whether there's any way to take the financial incentive out of botnets.
TalkBack to me.