General concepts
From a linguistic point of view, the word "botnet" includes two words: "robot" and "network".A botnet is a collection of systems infected with malicious code and administered centrally. In other words, a network of computers that are controlled remotely by intruders.
Very often, botnets cannot be detected by antivirus programs, and victims often do not even know that they are an active part of a hidden network.
The botnet should function in such a way that even if you destroy or disable a decent number of nodes, its overall performance will not be affected.
Our goal is to earn money. And we will consider botnets and everything related to them based on this.
Each infected computer / device on the network plays a role and acts as a “bot”, is controlled by a single decision-making center (bot driver) to perform various actions secretly from the owner of the computer/device.
It is noteworthy that the technology itself was originally developed for good purposes. Bots served as an auxiliary software tool for performing monotonous non-criminal and repetitive tasks, as well as for automating them. Over time, however, inquisitive and enterprising minds quickly figured out what was going on, and began using botnets for their own harmful purposes, generating profits.
Since the days when bots played only the role of assistants, a lot of water has flowed. Software for implementing, controlling, and ensuring the smooth operation of botnets has made great strides.
At the moment, botnets can implement various attack methods, working simultaneously across many directories and verticals.
It probably won't be a surprise to you that our industry is quite heavily segmented in terms of specializations and areas. This means that everyone here is doing their own thing. You can observe how one person (or group) produces cardboard, others sell it, others drive it in, others send the goods they drive in, others sell it, etc.
A similar division into specializations exists in bot breeding. Thus, the coder sells the source code, and the source buyer sells the resources or services of the botnet to other users. The latter, in turn, are end users or sell the product they created further, in the same way as the previous ones.
The average service life of botnets is determined by” experts " from several months to several years. At the same time, the content of a botnet for a long time is not always equally useful and profitable, but we will talk about this in the following articles.
By targeting the market, botnet creators often create the most favorable conditions for their customers.
For example, the botnet management interface (admin panel) is quite simple in most cases. It doesn't require any special knowledge or skills to work with it.
This is where Malware as a Service also originates.
If you are not a coder and cannot create / distribute your own botnet, please contact vendors who will do all of the above for a certain fee.
In most countries (developed and developing) they actively fight against botnets.
Of course, this is carefully kept silent, but, in reality, the special services use exactly the same methods and technologies for their own purposes.
Such a nice neighborhood is beneficial for both sides, so you don't often hear about the elimination of serious botnets. Balance of interests, you know.
Technological structure of botnets
A typical botnet structure usually takes one of the following forms: a client-server model or a peer-to-peer model (P2P, Peer-to-peer). They are also called peer-to-peer.In the botnet structure implemented in the client-server model, a basic network is created in which one server acts as the main botmaster.
The botmaster server is designed to control the transfer of data from each infected client to install commands and control client devices.
In the case of the client-server model, the operation of the system is achieved through special software that makes it possible to achieve and maintain constant control over infected devices.
However, this model has several significant drawbacks.
The main thing is that it can be easily detected.
The reason is that there is only one control point in this model. If the server is destroyed, the botnet crashes.
In other words, we have a lot of infected devices that all ping and constantly access one specific server.
As you can guess, the question of detecting such a network by an edge is not worth it in principle.
This is rather an archaic architecture, which is currently not used by serious botnets. Well, except in white, legitimate software.
At least, I don't know of such botnets, which are minimally noticeable and at least somewhat significant level.
Of course, there are a lot of small crafts, all sorts of script kidi-level botnets (and this, by the way, is the majority of those offered on the market). But, ideally, it is better to stay away from this garbage.
Our goal is a really cool botnet. And not just with a clear name, but with a powerful filling and a serious profit. And this is-never "client-server". Believe me.
More precisely, I will say this: yes, you can do something, in principle, working through C&C, but this is a failed approach in advance. If we're going into space, of course.
If our task is to make another tenacious botnet that can be dropped at any time, then we can also use a “client-server”.
As for the peer-to-peer model (P2P, peer-to-peer), everything is much more interesting here.
All modern and, I emphasize, serious botnets are built on this model.
Working with a single centralized monitoring server is a big drawback.
This disadvantage is overcome by creating a peer-to-peer structure.
In this model, each connected device operates independently as both a client and a server at the same time.
At the same time, each device coordinates the updating and transmission of other data between the same devices.
Because of this, the P2P botnet structure is much stronger and less vulnerable than the centralized management model.
By the way, do you know what is the most massive botnet in the world and what very famous company owns it? This is Microsoft!
These bastards have the ability to connect to ANY machine remotely and supposedly clean it from malware.
By the way, small-scale users are constantly taking control of more and more botnets, as well as buying up databases of compromised passwords.
Naturally, to fight us.
Good luck, hula.
Classification of botnets
What can botnets do?
Below I will give only the main and most important functions that can be assigned to a botnet.Calculation
First of all, you need to understand that a network of infected machines is a decent array of computing power.In this regard, the first thing that comes to mind is to make these capacities work in their direct direction, namely: calculate the selection of hash, brute, etc. After all, 5 thousand machines work faster than one...
DDoS
Also, all these machines can, suddenly, simultaneously access some site and " put " it. Everyone knows DDoS.The most common attacks of this type are TCP SYN and UDP attacks.
DDoS attacks are not limited to web servers. They are often directed at a variety of services that are connected to the Internet.
The attack can be increased or worsened by recursive HTTP streams on the victim's website: bots recursively follow all links in the HTTP path.
A few years ago, DDoS attacks using IoT devices were very popular. Mirai generated a lot of derived queries and continued to expand, making the attack more complex. This innovation has significantly and irrevocably changed the threat landscape in terms of the methods used in this area of attacks.
Traffic monitoring and theft of confidential data.
Infected machines can be used as a traffic analyzer to detect confidential information on infected devices.They can also find a competitor's botnets (if they are installed on the same machine) and be hacked in a timely manner.
The next, in my opinion, great direction is the ability to raise the SOCKS v4/v5 proxy server (universal proxy protocol for a TCP / IP-based network).
When the SOCKS proxy server is enabled on a compromised machine, it can be used for various purposes, such as sending spam (provided that we have port 25 open).
When analyzing packets, a sniffer embedded in the bot can successfully track important information: confidential data such as credit card numbers, passwords, and access rights.
Keystroke logging (keylogging)
This function logs all keystrokes on the infected machine, can structure them and issue them to the bot driver in a ready-made form.Using this function, we can, for example, collect only those keys that are typed in the desired keyword sequences. Like PayPal, eBay, etc..
There is also a screen capture option.
Click abuse (clickbots)
Click through links for which the attacker receives a piecework reward. For example, all kinds of affiliate programs with banner or ad impressions.Ad Serving (Adware)
The bot is used to display ads on an infected machine, redirect search queries to advertising sites, and collect marketing information. The bot collects the user's personal data and sends this data to the server. After processing the data, the bot shows the user relevant ads (ads that match their interests).From the main menu - everything.
Next, we will analyze how this functionality can be monetized.
Business models and monetization
I often see that even " seasoned experts” in the field of information security make rather ridiculous mistakes, considering that the costs of botnery are minimal, or even zero at all.I don't know, but for some reason all sorts of “experts” believe that if bot breeders do not have the costs of creating infrastructure In THEIR CLASSICAL sense, then in principle the cost part of bot breeders is scanty.
Of course, this is not the case. From the word IN GENERAL.
It is mistakenly assumed that the profit of a bot owner is often almost equal to the profit from the botnet operation. Any sane person understands that this is nonsense.
A botnet will not occur by itself. You need to create it. And once created, it must be maintained. And this-oh, how expensive!
Regarding the directions and development of different business models, botnets are an excellent platform for implementing all sorts of malicious practices that can bring us a decent income.
Below are the main directions.
Spam: it sounds banal, but it is very difficult to implement
Large-scale distribution of emails (may contain both advertising products and phishing content), as well as other malware (for example, ransomware).Not so long ago, Krab showed how much one of their top ads earns, and who works with mailings.
There are no ready-made solutions on the market right now. There are several reasons.
As a rule, spam bots are written for specific purposes (affiliate programs).
There is no universal tool in this regard. More precisely, of course, in theory it is possible to make some general craft, but I do not recommend using it.
In any case, spam is the lot of advanced guys. Both in technical terms and in terms of cash receipts.
A spam bot is an advanced money-making machine. Spam as a mailing list, for the most part, is implemented as follows:: the script directly sends a pre-prepared email from the infected user's email address.
According to its working logic, the script practically repeats the webmaster's working processes.
The main advantage for a spammer is that mailing from infected machines will not be immediately blocked and will end up in blacklists.
With fine tuning and proper tuning, you can achieve very decent results.
Another significant bonus is the collection of emails from the infected machine's mail folders.Good spam databases are worth their weight in gold.
DDoS and related earnings.
And the earnings here are not very thick. More precisely, directions.You either hammer victims yourself and demand a ransom for stopping attacks, or sell power to third parties.
With DDoS, everything is simple, in fact. By itself, it is not very relevant. As a rule, it is used in conjunction with other methods of attacking the target and, in most cases, to distract attention: while the target is being subjected to a massive DDoS attack, penetration is carried out from the other side. Thus, the technical department and security will fight off DDoS, and the evil guys will get into the perimeter, where they are not expected at all, and will remain unnoticed.
Blackmail as such is not very popular. You can hammer the victim, and there will be a stubborn and intractable idiot.
As a result, you will only spend time and resources, but you will not earn anything.
If anyone does not know what DDoS is... this is (very figuratively) a larger number of requests to the victim's server than it can accept and process. In Russian, this method of attack is also called “denial of service”. It is closely related to extortion (cyber-blackmail).
But, as we found out above, this is not the most profitable option.
The next and much more profitable direction is socs.
We can raise proxy servers on infected machines and sell access to them.Good, fast and clean proxies, without exaggeration, are worth their weight in gold. They are needed by everyone: investors, arbitrageurs, poker and casino players...
Clientele in bulk. And the prices for high-quality proxies are impressive. Average pollution socks5 costs $1-10 per day. And this is ONE car.
So consider the profitability.
If you also add the backconnect module and the ability to have bots behind NAT, we multiply it by 2 at once.
The direction is always promising and in demand.
It is also not demanding on the quality of traffic. We don't really care about the contents of the machine. We care about the cleanliness and speed of the connection. Therefore, you can buy cheap and sump installations.
Theft of confidential data
As we know, the victim's car has a lot of private information that is of particular interest to different people and is also evaluated differently.By infecting the machine, we will be able to steal things like bank cards and payment data for logging in to PayPal, eBay, Amazon and other services. Here we add all passwords from various services and access to mail.
All this is perfectly implemented on the market in the form of so-called logs.
They made a strait, stole the logs, ideally, processed them on their request and sold them. Profit.
The market is now saturated with logs and it will not be easy for a new product.
But it is also worth noting that the quality of logs for everyone, without exception, is at the bottom.
The next over - the-top direction is mining
Once upon a time (a very short period of time, by the way) it was progressive and quite profitable. Especially when the cue ball was mined on a video card, and you did not spend the mined 5-7 years)Now the situation is deplorable. No matter how advanced your miner is, it still burns with proactivity.
But, most importantly, it's a dumb resource kill. Imagine you have a large-caliber 12.7-caliber sniper rifle that can hit targets behind cover at a distance of 3 km. And you herachite from it on the wheels of enemy armored vehicles 200 meters away.
The logic is clear, I hope?
Mining is not our story at all. Especially with the current market situation, of course.
Yes, even if the situation was favorable, bots need to be used correctly. Much more appropriate.
On this, perhaps, we will finish about mining once and for all.
The next truly interesting area is adware
I must say right away that advar is all the software that shows or forces the user to click on the displayed ad. Don't confuse it with an autoclicker.Advar, as you guessed, can work on its own. It doesn't need a botnet.
But we are also looking at business models that we can implement if we have a resource like a botnet at our disposal.
I will tell you about malware in a little more detail, since this direction (in conjunction with a couple of others) it seems quite promising to me.
Advar as such can be quite intelligent. Force the user to follow certain links, collecting marketing information about the user and, in the future, showing already targeted ads.
The one that the user is most likely to click, thereby increasing the conversion rate and, accordingly, sales.
By the way, quite a harmless thing.
The direction is very monetary, if you correctly build a strategy and technological base. In other words, for smart guys. And we are smart guys, so here's an example of how you can make good money on advertising and a botnet.
Remember what I said about the socks bot? Did you also say that it is in demand? So, the next level is not just providing a connection to the victim's machine for money, but spoofing DNS on this machine and showing us the ads we need.
No tinplate, just commerce. No need for ransomware, lokers, and other filth.
Believe me, you can earn no less here!
If your socks bot has a backconnect module that will allow us to infect and have active bots at the site where we will run our ads-the height of heights.
Thus, 5-10k bots give$ 10k per day on the farm alone.
It is clear that there is no stability here, but the fact is!
And this is only one vertical. Without chernukha. And how much more there is!
Of course, no one will sell you such software. You need to write for yourself and for yourself. For your specific tasks.
Well, since we are talking about the advertising direction, we will touch on advertising bots as such.
A non - trivial thing, in fact, is clicking and pageviews.
It is as old as the world and, in some places, even works and brings a couple of kopecks.
There are, however, some unique things: the guys got their own networks of ipv4 addresses, wrote scripts that mimic human behavior, and sent themselves ads for several cartoons of greenery a day (who cares, Google: Methbot).
There are many pitfalls, and you need to know the internal cuisine.
It's not enough to just fill up your views. There are a number of indicators that directly indicate fraud. The same CTR.
In theory, with the growth of views, the conversion rate should also grow in a conditional proportion.
And how can it grow if we chase dead souls? Such a partner will be immediately banned. In short, the subtleties dofiga. But if you know where to attach it, you can earn very good money.
I'll give you a sad example. There was such a veteran of the nastra runet. He implemented a similar scheme with servers.
I combined them into a cluster and rewound pageviews, having previously agreed with some agency there.
At a certain point, the agency got some kind of plug and they did not want to shoot.
He took and rewound views for tens of millions, like decided to take revenge.
As a result, they were accepted and extradited to the United States.
But that's not the moral. It's that you can find your own ways and earn money.
Who is interested, Google: nastra, Alexander Zhukov.
In general, do not forget that a botnet is a huge array of computing power. With DDoS, everything is clear.
But there are still a million other areas where you can use these capacities.
For example, write software for selecting seed words for an Ethereum wallet, combine the machines into a cluster, and put them to work.
Well, or any other brutus, whatever.
And, as a final option: you can always rent out or sell your botnet profitably if you couldn't / didn't want to / don't have time to study. It can be profitable. But still not desirable.
In general, such services should be used by imbeciles and incompetents. Why rent bots that have already been squeezed 100 times before you?
Also, think about it: would you rent out your car?) That's the same thing.
If we are just completely morons, and we have super little brains (or even not at all), then we can “search for other people's links/requests” in our logs.
You can do this. Why not, if so. We post a topic and wait for the same idiots.
Idiots apply and fire their requests, and then you work them out on your own.
But what if you're smart? Then you can develop your own unique software and just rent it out. What is called Malware as a Service in smart language.
A typical representative of this class is the previously mentioned GandCrab.
The essence of the approach is that you rent out your software or infrastructure for a fee. Sometimes it's both.
Additional botnet monetization
There are several directions in this regard.Expand either vertically or horizontally.
Vertical - this is when you connect other functionality to your bot that was not originally planned and monetize it.For example, the same SMOKE bot: you initially took a loader and sell downloads after you've wrung out everything yourself, and then you decide to also do ddos. You buy a separate module and start monetizing DDOS on your own.
Horizontal expansion is when you take as conditional partners a person who will process the resources that you have not used.
What does it mean? Let's say you are processing the logs you have collected on a stick. Don't touch any other requests. Take a person who works with Amazon as a partner and give them their request. You discuss what data it needs, cut it out of the log (all this, by the way, can be perfectly automated) and give it for testing.
It is necessary to calculate all the options in advance in case your main activity, which brings you profit, suddenly orders you to live for a long time tomorrow. In this regard, the bot should be relatively universal. Moreover, it is desirable to have several such partners, and preferably on a permanent basis. In the course of market research, I suggest that you look at what requests and in what quantity are redeemed on different forums. We study reviews, choose who we are interested in, estimate the approximate amount of material, and build bridges BEFORE starting.
They don't charge money for demand. Nothing prevents you from agreeing first, and then starting to produce results. Because if you already have the material on your hands, and you're just looking for somewhere to merge it, you have to ask yourself: am I doing everything right? Spoiler alert: Not all of them.
A small caveat regarding the sale of shares. An extremely important and not obvious point regarding the sale of your hard-earned shares from logs.
Let's assume that you are shedding normally, you have a bunch of bots and you are working them out for your requests. At the same time, you still have 98% of the untouched material.
It is understandable, it is simply not realistic to cover everything. And there's no point, really. What comes to mind in this situation? Right. Start selling your accounts.
You, without suspecting anything, go to a forum or telegram channel of some kind and start selling unclaimed akki. Only there is one small BUT. Having sold a conditional Bank of America, you may not know that on the same bot you have a fat PayPal or other service that you are actively hammering.
Do you have any idea what will happen next? The buyer will go to hammer out their request, the holder will realize that it is infected, take down the operating system, and you have lost the bot.
When you lose a bot through your own fault and as a result of your own work, this is one thing.
And when you were given a bot that could potentially bring in thousands of dollars, and you earned a measly 15 bucks for selling it, “this is a fiasco bro...".
I strongly recommend instilling “account cleanliness” in yourself . As long as you don't push the bot to the maximum, don't sell anything from it.
If you decide to sell akki, then sell exclusively from old bots, which you gutted as best you could to all your possible questions.
This is not a call to expand vertically in other directions. This is rather a small remark about the correct and PROFITABLE work with your material.
The ideal story is when the botnet has worked for some time (notional 4-5 months), you have merged all your logs and moved to another server.
After completing all the logs in advance, you can sell them out. We keep the logs from the new server for ourselves. Repeat the cycle.
