Botmaster: It's All About Infecting, Selling Big Batches of Bots
Undercover Cisco researcher told the going rate for a single bot is 10- to 25 cents
August 20, 2009
Researchers at Cisco recently got a rare glimpse of the inner workings of the botnet underworld after going undercover and meeting an actual botmaster online: the botmaster, who ran a botnet that had infected dozens of machines at a Cisco customer site, said his main job is to compromise a few thousand machines and then sell them off in bulk.
He told a Cisco researcher posing as a fellow botmaster that the market rate for a bot is between 10 cents to 25 cents per machine, and that he recently made $800 off of a sale of 10,000 bots.
But that rate is likely a moving target, says Joe Dallatore, senior manager in Cisco's security research and operations group. "At this point we have a snapshot [in time]" of the botnet market rate, Dallatore says. "There is an economy for these things, and it changes over time this is a form of commerce, with supply and demand."
And the botmaster isn't out to perform identity theft -- just bot-brokering. "He was not in the business of using information [on the bots]. Just in creating bots and selling them to someone else," Dallatore says.
Cisco decided to go undercover and learn more about the botnet market after cleaning up infected machines at their customer's site. "This gave us an opportunity to learn what motivated" the botmaster, Dallatore says.
Posing as a botmaster -- and later a security reporter -- a Cisco researcher engaged in an IRC chat conversation with the botmaster, and later, several MSN chat sessions over a period of months.
The botmaster told the undercover researcher that he didn't focus on exploiting vulnerabilities when going after prospective bots. Instead, he mostly used social engineering via instant messages. He can spam 10,000 users with a lure like a "check this out"-type link and get a one percent or better response rate, he said.
He also said he knew someone who made $5,000 to $10,000 per week through phishing attacks.
The botmaster also shed light on the dog-eat-dog world of cybercrime. He said he once used a stolen account and impersonated a law enforcement official in order to chase another botmaster away from his 6,000 node botnet. And there are different levels of expertise in the bot world, too: only 20 percent of botmasters actually understand the bot code they get via online forums, and about three- to five percent write their own botnet code, he said.
He also pointed the undercover researcher to a massive botnet forum that included discussions, source code, botnet supplies such as file hosting accounts, packers, password lists, and password stealers.
"Anyone with basic computer experience is able to run a botnet. It is not necessary to understand the code, nor is there a need to understand networking," according to a report by Cisco on the botmaster conversations.
Although the researchers learned via some outside research that the botmaster they were communicating with was a prolific author of IRC-based botnet software and was well-known among the underground, his botnet had a hole. Cisco was able to block his bot update servers because they had been left unprotected. He didn't bother encrypting botnet traffic, either.
Cisco's Dallatore says his researchers' revealing communications with the botmaster should serve as a warning to enterprises that their computing resources are valuable to the bad guys. "It's important for enterprises to do what they can to prevent becoming an inadvertent engine in someone else's commerce," he says. "And they may be traced back as a source of an attack."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like