News

Researchers Discover Online Botnet Market

• By William Jackson
• June 17, 2009

Researchers at Finjan Software Inc. have discovered a professional network for buying and selling botnets anywhere in the world.

Although the selling of networks of infected computers for use by online criminals is not new, the Golden Cash network provides a comprehensive platform for buyers and sellers and a malicious toolkit for partners who want to profit by infecting more computers.

Finjan marketing director Ophir Shalitin called it "a new milestone in botnet trading."

"It's a one-stop shop," Shalitin added. It's "the eBay of botnet trading."

The infected networks are being bought for prices ranging from $5 to $100 for 100 computers and resold -- sometimes multiple times -- at prices from $25 to $500 for 1,000 computers.

The discovery was announced today in the Cybercrime Intelligence Report from Finjan's Malicious Code Research Center. Although the proxy server for the system and many of the URLs it links to appear to be in Russia, the actual location of the platform is not known, Shalitin said. But it seems to be operating safely.

"It has probably been running for quite a few months," he said. "We found records from last year."

Botnets are networks of computers infected with malicious code controlled by remote servers. Operators of the control servers can upload additional malicious code to infected machines and issue commands to execute attacks, infect yet more computers, and harvest information that can be sold on underground markets.

The botnets themselves can be valuable commodities, and the sophisticated Golden Cash platform represents another evolution in the commercialization of hacking.

"Cyber criminals keep on looking for improved methods to generate profit," said Yuval Ben-Itzhak, Finjan's chief technology officer. "In addition to stealing data and selling them on, they now also trade compromised PCs to as many buyers, sellers and partners as possible. Looking at the list of compromised PCs we found, it is clear that no individual, corporate or governmental PC is safe."

In stilted, misspelled English, the Golden Cash home page brags that it is not just another pay-per-install program: "It is the company that won big part of the market, but not in public."

It offers a partner program in which it supplies an exploit toolkit with obfuscated code and the Trojan Zalupko. The partner is recruited to inject the malicious iframe into a legitimate Web site, directing unsuspecting visitors to a server that infects the PCs. The malicious code also uses the infected PCs to harvest FTP credentials for legitimate Web sites, giving Golden Cash access to more Web servers to continue expanding.

The price paid for infected computers varies by geographic location depending on supply and demand. Australian computers command the highest prices from Golden Cash at $100 per 1,000. Computers in Hong Kong, China, Japan, Korea and other Asian countries bring only $5 per 1,000. One thousand computers in the United States bring $50 and in the United Kingdom, $60.

Golden Cash then sells the computers at up to 400 percent profit. Australian computers go for $500 per 1,000, Asian computers for $25, U.S. computers for $120 and U.K. computers for $250.

Golden Cash allows its partners to work for multiple networks. "You can make installs for us even if you install another pay-per-install program, our soft [sic] won't conflicate [sic] with it," the Web site states. Payments are made by WebMoney, Fethard, e-gold, Western Union, wire transfer and other systems.

After a buyer places an order and is provided with bots, the Golden Cash server is notified when the buyer's malicious code has been installed and the buyer's account is then charged for the purchase. The infected computers can go back into the pool to be offered to other buyers.

Shalitin called the infection and exploitation of computers part of a vicious, never-ending cycle in which hackers and criminals constantly search for new vulnerabilities to exploit and build automated tools to take advantage of multiple vulnerabilities.

"This is easy to do, and the business model is lucrative for criminals," he said. "It's a sort of arms race. The attackers work hard at improving their toolkits. The cycle always continues."