Kaspersky Lab publishes an analytical article on the economics of botnets

Kaspersky Lab, a leading developer of secure content management solutions, presents a new analytical article by antivirus analyst Yury Namestnikov. The article, entitled “The Economics of Botnets,” discusses the various applications of zombie networks.

A botnet or zombie network is a network that consists of computers infected by malicious software which allows cybercriminals to control infected machines remotely without the users’ knowledge. Infected computers are controlled by the botnet’s command & control center, which connects to bots via IRC channels, web connections or any other available means. For a botnet to begin making money for its creator, it is sufficient to organize a few dozen machines into a network. The revenue generated by a botnet is directly proportional to its stability and its growth rate.

Botnet owners’ sources of income include DDoS attacks, theft of confidential information, spam, phishing, search engine spam, click fraud and distribution of malware and adware. All of these activities are profitable, and the botnet can perform all of them at the same time.

A botnet is an ideal tool for carrying out a DDoS attack. Such attacks can be used as an instrument of unfair competition or be manifestations of cyberterrorism. Adverts for organization of DDoS attacks are openly displayed on many user forums. In 2008 alone, about 190,000 DDoS attacks were carried out, ‘earning’ cybercriminals about $20 million.

Confidential information stored on users’ computers can also be targeted by botnet owners. The most valuable data includes credit card numbers, financial information and passwords to various services, such as email, FTP, IM systems etc. Cybercriminals are also interested in accounts for various paid services and online stores. Personal data not directly related to users’ finances is of interest to cybercriminals who forge documents, open fake bank accounts, conduct illegal transactions etc.

The cost of stolen personal data is directly dependent on the country of its legal owner’s residence. For example, a complete set of data on a US resident costs $5 to 8. EU resident data is particularly valued on the black market and is two or three times more expensive than data for US and Canadian residents.

New phishing sites are now mass-produced by cybercriminals, with botnets used to protect sites from closure. Zombie networks provide fast flux technology, which allows cybercriminals to change website IP addresses every few minutes without affecting the domain name. This extends the lifetime of phishing sites, making it hard to detect them and take them offline. The technology involves using people’s home computers that are part of a botnet as web servers with phishing content. The income from phishing is comparable to that from the theft of confidential data using malicious programs, and adds up to millions of dollars per year.

According to Kaspersky Lab data, about 80% of all spam is sent via zombie networks. In the past year, spammers made about $780 million by sending messages.

Another application for botnets is search engine optimization (SEO). Webmasters use SEO in order to improve their websites’ positions in search results, since the higher they get the more visitors will reach the site via search engines.

Resources provided by zombie networks can also be used to distribute adware and malicious programs. Many companies that offer online advertising services pay for each installation of their software. Cybercriminals who distribute malicious programs often use the same approach, paying for each malware installation. This type of cooperation between cybercriminals is called an ‘affiliate network’. Online advertising agencies that use the PPC (Pay-Per-Click) scheme pay for unique clicks on adverts. Botnet owners can make significant amounts of money by cheating on such companies. About 17% of all advertising link clicks in 2008 were fake, of which a third was generated by botnets.

The article’s author makes the important comment that keeping a botnet afloat, ensuring a steady inflow of new zombie computers, protecting bots from being detected by antivirus products and keeping the C&C from being located requires both financial and time investment from the hacker. Because of this, active botnets are often leased out or sold.

At present, the most effective method of combating botnets is close cooperation between antivirus experts, ISPs and law enforcement agencies. Such cooperation has already resulted in the closure of three companies: EstDomains, Atrivo and McColo. Note that the closure of McColo, whose servers hosted command and control centers for several major spam botnets, resulted in a 50% reduction in the amount of spam circulating on the Internet.

Experts follow the activity of thousands of botnets, and antivirus products detect and destroy bots across the globe, but only law enforcement agencies can stop the command and control centers and catch the cybercriminals, thereby ‘putting out’ botnets for extended periods of time. However, without help from users, combating botnets cannot be effective, because it is home computers that make up the lion’s share of the enormous army of bots. Users should not neglect to stick to simple security rules, such as using antivirus software, choosing strong account passwords and disabling the AutoPlay feature for removable media.

The full version of the article is available on www.viruslist.com.

This material can be reproduced provided the author, company name and original source are cited. Reproduction of this material in re-written form requires the express consent of the Kaspersky Lab PR department.