"Botnet for hire." Google that phrase and you'll get plenty of hits. Most of them will be articles in online magazines or whitepapers from security firms or students. You may even find a post or two on forums from someone who claims to be looking to hire one or someone with one to rent.
What you won't easily find, however, is someone who really has a botnet for hire or how much it will cost. That's because there really is an international Internet underworld, and chances are, unless you're a criminal, researcher, or officer of the law, you're not part of it. Just like any big city, the Internet has bad parts of town that are best avoided by law abiding citizens.
And if you're looking to learn more about how bots and botnets work (and how you can protect yourself), browse this video tutorial Internet Evolution has just posted.
Are you protected against bots? Check out
IE's botnet video tutorial
Although the prima facie evidence of botnet pricing is limited and sometimes contradictory, it all points to a growth business. The largest botnets are by now well known and old news. Storm and Kraken activity over the past several days can even be observed spreading and operating in this nifty little animation.
These enormous botnets are high-quality service providers for shady business. It is rumored that a Storm-style botnet can be purchased turnkey for approximately $100,000 and rented for as little as $100 per hour. At the lower end of the spectrum you'll find a kid renting out his small bot army for designer athletic wear! He got sentenced to five years... and the fancy sportswear turned out to be counterfeit. Stay in school, kids.
So who's buying what from these new C2C (Criminal-to-Criminal) business services? What exactly do you rent a botnet for? Spam distribution tops the shopping list -- most spam now comes from botnets. Legitimate business email pathways are heavily filtered from end to end. What's a spammer to do? A botnet can turn any computer into a mail server or even distribute the mailing across thousands of computers so that the mail appears to come from legitimate addresses. This can be pretty effective, and spammers are willing to pay for it.
Also for sale are dedicated denial-of-service (DDoS) attacks -- tiny compared to Storm or Kraken, either of which have enough firepower to take a small country off the Internet. DDoS attacks usually fall into two categories: extortion (pay me or I'll take your betting site off line during the World Cup); and damaging competitors (if I take your site down, more will come to mine).
Also for sale is pay-for-ad-clicking. That's right, if you pay the wrong media company to run a pay-per-click ad banner campaign for you they might rent time on a "Clickbot" style botnet that clicks your ad and inflates your fees.
Botnets are also a great way to install adware or spyware. I once witnessed the formation of a 20,000+ botnet that appeared to have been created for that single purpose. Once the adware was installed the botnet evaporated within hours.
Botnets have evolved into a mature service industry. Sometimes the benefactor of the services isn't even really aware that a botnet will be used to fulfill their requirements. Rather, they've hired a middle man, perhaps unknowingly. What's clear to me is that botnet technology is being actively developed and has matured in terms of both competition and funding. It continues to evolve into a robust platform for the black and gray cyber-crime marketplace, and, in my opinion, it's probably the single greatest information security threat to both corporate and home users.
— Gideon J. Lenkey, co-founder of Ra Security Systems
This blog is part of Internet Evolution’s Security Clan, which looks at the present and future threats to Internet security and the methods being used to defend and protect users and organizations. Register here to join the Security Clan, and you might become eligible to win one of our limited edition T-shirts.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
