Inside The Booming Botnet Industry

  /     /     /  
Publicated : 22/11/2024   Category : security


Inside The Booming Botnet Industry


Going rate for infecting 1,000 unique PCs? Up to $180 in the United States, or $7 or $8 in Asia. The pay-per-install malware business thrives.



When running a botnet, attrition is constant, as security software on PCs finds and eliminates the malicious code that turned the PC into a botnet node. Accordingly, many botmasters outsource infections to whats known as pay-per-install (PPI) service providers. Going rates for infecting 1,000 unique PCs with malware range from up to $180 in the United States and Great Britain, from $20 to $160 for other parts of Europe, down to just $7 or $8 in parts of Asia.
Those findings come from a study presented at Augusts
USENIX Security Symposium
in San Francisco. The investigation into the commoditization of malware distribution was conducted by security researchers at IMDEA (the Madrid Institute for Advanced Studies), the International Computer Science Institute, and the University of California, Berkeley.
Multiple security researchers have
infiltrated black market forums
and recorded PPI pricing. Others have conducted a top-down analysis of the PPI industry by becoming affiliates of services. But for this new study, the researchers said they were the first to take a bottom-up approach, studying the PPI ecosystem as seen from the perspective of the downloads pushed out by PPI services down to their victims.
Their research, conducted from August 2010 to February 2011, started by infiltrating four PPI services--LoaderAdv, GoldInstall, Virut, and Zlob--and gathering the malware executables they distributed to their affiliates, which infect PCs for the PPI provider. Along the way, the researchers said they harvested over a million client executables using vantage points spread across 15 countries. Based on a study of 313,791 binary files captured in a one-month period, they found that 12 of the worlds 20 most prevalent malware families rely on the PPI industry for distribution.
The researchers also found clear distinctions between the PPI industry--which uses silent installs to gain access to PCs, install a downloader, and push malicious applications--and botmasters, who use the malware to control the PC via command-and-control (C&C) servers. (Some botmasters, however, also serve as PPI affiliates.)
Interestingly, PPI providers repack--as in, recompile--their downloaders on average every 11 days, although one service did it twice per day. Repacking generates a new piece of software, which helps the downloader software evade signature-based security defenses, at least until the security vendor spots the new malware and creates a new MD5 hash signature for its detection engine.
Some PPI providers, such as Zlob, also offer a Web service that allows affiliates to repack downloaders on demand. According to the researchers, we requested the downloader for a single affiliate 27 consecutive times, resulting in 27 distinct, working Zlob binaries with identical sizes but differing MD5 hashes.
What happens after a unique PC has been infected and pressed into botnet service? Botmasters might push new malware. They might also activate or download keystroke loggers that
harvest sensitive data
, including bank account numbers and passwords, from the infected PC. Likewise, the infected computer can be turned into a
spam relay
, or used to
launch distributed denial-of-service attacks
against targeted websites.
While many anti-botnet efforts to date have focused on
taking down botnets
and
arresting botmasters
, the researchers suggested also targeting the PPI service industry, since it provides a quick restart option for anyone whose botnet gets busted.
Even if defenders can completely clean up a botnet (as opposed to merely severing its C&C master servers), the botmaster could return to business-as-usual through modest payments to one or more PPI services, said the researchers. Given that multiple malware authors share use of the same PPI services, and that the number of PPI services seems to be significantly smaller than the number of malware families, PPI services are good targets for future takedown efforts.
The new research comes with a cost. Namely, expect the PPI industry to attempt to block similar studies in the future. In particular, we expect PPI services to harden their C&C protocols with more robust use of cryptographic techniques and incorporation of anti-virtualization and triggering mechanisms to increasingly hamper dynamic analysis, said the researchers.
Security professionals often view compliance as a burden, but it doesnt have to be that way. In this report, we show the security team how to partner with the compliance pros.
Download the report here
. (Free registration required.)

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Inside The Booming Botnet Industry