Security researchers unpick botnet economics

The economics of botnets and the sale of stolen information in underground bazaars have been detailed in greater depth then ever before in new research from Kasperky Lab.

Infecting PCs with strains of malware that leave them open to remote control by hackers has been the mainstay of various forms of cybercrime - spamming, identity theft and distributed denial of service attacks - for some years. Kaspersky's research highlights the asking price for a variety of criminal services rather then uncovering anything new, but is nonetheless valuable in shining a light on the financial motivations that nowadays lie behind many internet security and privacy-related threats.

The paper - The Economics of Botnets - also charts the evolution from centrally controlled systems with a single C&C towards far more sophisticated and distributed systems with decentralized control, which are far more difficult to shut down. Botnets are established by distributing backdoor code, often using drive-by download attacks via compromised websites, or rented via underground forums.

Once acquired, a would-be cybercrook has multiple potential sources of income: DDoS attacks, theft of private information, spam, phishing, SEO (Search Engine Optimisation) spam, click fraud and distributing adware. Not that there's any need to be selective. "A botnet can perform all of these activities… at the same time," notes Kaspersky researcher Yury Namestnikov.

Namestnikov sketches out the potential financial rewards from running a botnet, as summarised below:

• Hiring a botnet for DDoS attacks can cost anything between $50 to thousands of dollars for a 24-hour attack, depending on how big and well-protected the victim site happens to be. According to shadowserver.org, around 190,000 DDoS attacks took place in 2008, earning cybercrooks an estimated $20m.
• Stolen bank account details fetch between $1 to $1,500 depending on account balances and other factors. "The low minimum price demonstrates that the cybercriminals involved in this business have to reduce their prices due to competition," Namestnikov writes.
• Personal data sufficient to open bank accounts under false names costs between $5 to $8 for a US citizen, or three times this amount for a EU citizen, largely because such data can be used across Europe.
• Phisher fraudsters are prepared to pay between $1,000 to $2,000 per month to rent access to a fast flux botnet.
• Junk mail runs cost between $70 for a few thousand spam messages to around $1,000 for tens of millions of spam messages.
• Search engine manipulating spam costs about $300 per month.
• Adware installs rake in anything from 30 cents to $1.50 for each installed program. The average price of dropping a malicious program on a thousand computers in China is $3, compared to $120 for the same set of machines in the (obviously more affluent) US.

Namestnikov said that only co-ordinated enforcement actions by the IT industry, government and law enforcement - alongside greater attention to internet hygiene among end users - can hope to bring the cybercrime problem under control.

"The most effective method of combating botnets is close cooperation between antivirus experts, ISPs and law enforcement agencies," Namestnikov concludes. "Such cooperation has already resulted in the closure of three companies: EstDomains, Atrivo and McColo. Note that the closure of McColo, whose servers hosted command and control centres for several major spam botnets, resulted in a 50 per cent reduction in the amount of spam circulating on the Internet."

"After botnet owners moved their command and control centres to other hosting providers, it was ‘business as usual’ for them again. What is needed is a continual effort rather than occasional inspections. Sadly, chopping off one head of the hydra is not enough!"

The fight against botnets is hopeless without users playing a part, Namestnikov argues in a call for wider application of common-sense measures against hacker attacks.

"It is home computers that make up the lion’s share of the enormous army of bots," he writes. "Neglecting to stick to simple security rules, such as using antivirus software, using strong account passwords and disabling the AutoPlay feature for removable media, can result in your computer becoming another botnet member, providing cybercriminals with your data and resources." ®