Botnets For Rent: Explained

The Iranian Cyber Army has been making news with its decision to sell access to its botnet. This raises a lot of questions. Here are some answers:

How much does it cost usually to rent a botnet? What are the factors involved in price?

Bots are used for a very large variety of purposes so its difficult to pinpoint a price. The growing and maintaining work of a botnet has become just an additional profession in the hacker supply chain of the growing hacking industry. Similar to market competition of the real world, botnet growers are competing to provide their service. Which means that prices are falling. There are different aspects which are taken into price account of the botnet hiring:

  • Size of a botnet
  • Type of attack (e.g. spam, DDoS, cred-fetching)
  • Target (military, private organisations, targeted or widespread)
  • Geo-location (targeted country, organisation and even language considerations)
  • Length of attack (one hour of spam, three-day DDoS attack or a monthly membership for phishing sites)
  • Although a rental is based on a multitude of factors, to give some ballpark figures for some of the more common ‘services’: A 24-hour DDoS attack can be anything from a mere $50 to several thousand dollars for a larger network attack
  • Spamming a million emails, given a list, ranges between $150-$200
  • A monthly membership for phishing sites is roughly $2,000.

Does this move by the ICA surprise you? How common is it for people to build botnets and then sell them off?

No, the move by the ICA is not surprising. Cyber-criminals, just like all criminals, seek different sources of revenue. Botnet growers are continuously advertising their services. What is interesting in the case of ICA is that they were the ones performing the attack. From their point of view, most of their attacks were politically motivated. But they seem to have asked themselves: Why can’t we make extra on the side with our infrastructure? These so-called ‘ideologists’ could be re-investing proceeds from ‘commercial’ operations to their political objectives and proceed with other attacks as well as further develop other cyber attack resources.

From a security standpoint, does this activity make botnet detection easier or harder? If people are selling groups of bots, doesn’t that mean you can stop multiple groups by disrupting the group selling the bots?

A. In general, this activity doesn’t impact the detection of botnets. Why? Many of the command and control servers use fast-flux technology, where the server constantly changes, so it is harder to find the ‘brain’ behind the zombies and take it down.

B. Advertising underground services carries risks of discovery. For example, a criminal in the real-world advertising fake Rolexes: that individual runs the risk of selling to an undercover cop. Similarly a criminal selling illegally obtained online credentials to some Facebook account runs the risk of the forum being tapped into by some authority. Yet these criminal acts proliferate since hackers are not stupid. They use different evasion techniques, secret forums and even a reputation-based system in order to avoid being detected.

Some say that smaller botnets are a bigger problem than the larger spamming botnets because the smaller ones tend to be targeted and seek to stay under the radar. Do you agree that that is the case, and is this related to the trend of people selling off portions of botnets?

It doesn’t make a difference. Why? A botnet grower has a large number of computers under his/her control (zombies). He/she rents a certain number of these zombies for different purposes. Each of these rentals together provide a botnet. So botnets range in size but ultimately they can be sourced to the grower. So criminals are not selling portions of their botnet, rather they are renting portions of the computers under their control according to the needs and requirements of the attack requestor.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Noa Bar-Yosef is a senior security researcher with the Imperva Application Defense Center. She conducts research on database and Web application vulnerabilities. Previously, she has held TA positions in courses on programming and network security at Tel Aviv University and Open University. She has also been a software engineer with educational software vendor Sunburst Technology. Noa holds a Masters of Science degree (specialising in information security) from Tel-Aviv University, School of Computer Science and a Bachelors of Science degree from The Hebrew University, School of Computer Science. During her work in Imperva Noa has discovered multiple vulnerabilities in various commercial application and worked with software vendors on their resolutions. Noa also presented at a number of conferences including Infosec Canada (2008), SECRYPT 2007 (Spain).