Gallery

Why smaller botnets are big business

Posted on 31 Aug 2010 at 14:26

Davey Winder gets to grips with the business of botnets

Three years ago, I warned that a battle of the botnets was under way since the criminal underground sought both to exploit and control the biggest bankable money-maker of 21st-century online crime, the botnet.

Back in 2007, I explained that spammers were prepared to pay a lot of money to rent time on the largest botnets (known as mega-botnets), and the bigger those mega-botnets become the more valuable a commodity they provide for the crime gangs that build, maintain and exploit them. How times change, and in only a few short years.

Rather than this bigger-is-better mentality prevailing, nowadays, smaller botnets are more valuable as far as the rental business is concerned. This is largely due to the success of security researchers and law enforcement in taking down some of the big botnets and their hosts.

It has become far easier and safer for the bad guys to creep under the radar using smaller botnets

With the good guys now able to infiltrate and sabotage highly visible botnet operations, to the point of effectively putting them out of business for weeks - a week is a very long time in online crime activity - it has become far easier and safer for the bad guys to creep under the radar using smaller botnets.

This has had an interesting effect on the pricing mechanism for botnet rentals, not least because it’s now very much a buyer’s market. A few years ago, if you were a major spammer, blackmailer or malware distributor, there were only one or two mega-botnets to choose from at any given time, so rental prices inflated to reflect the limited choice of supplier.

Botnet pricing

Now the botnet market is far less monopolistic in nature and, with this move to smaller but more numerous botnets, the buyer gets a lot more leverage in terms of price bargaining.

The result is that, as I write this column, the latest research from VeriSign suggests that prices have fallen to as little as £5.99 per hour. VeriSign investigated a total of 25 known bot herders who were operating from three of the busiest online underground crime forums, and discovered that the average price for renting out a botnet for 24 hours was just £44.85, during which time numerous attack vectors could be exploited. Structured pricing was even evident, with “value added” services available such as the taking down of sites that have anti-DDoS measures.

When Cisco infiltrated a botnet operation last year, it discovered that its operator was in it purely for the exit strategy, planning to compromise “a few thousand machines” and then sell these off “in big batches”. It turns out that the botmaster was looking at a going rate of anywhere between 7.5p and 17.5p per compromised computer, and had sold one batch of 10,000 machines for £560.

It doesn’t take a genius to work out that you could run a fairly effective botnet with a base of 10,000 machines, allowing for the fact that not all of them will be available at any given time. Indeed, even at the relatively modest rents of the underground market today, it would be possible to see a return on such a modest investment within a week.

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site