Botnets (from the English “robot” and “network”, that is, “robot networks”) are one of the main and most popular tools of modern cybercrime. Computer networks, which consist of tens, hundreds of thousands and even millions of host machines infected with bot programs, automatically perform certain actions in the interests of the owner or manager of such a network.
At the same time, the tasks that a botnet can solve can be very different: from the classic and completely harmless collection of email addresses and subsequent sending of spam to theft of information about bank accounts and commercial espionage. In Russia, botnets have recently been most often used for DDoS attacks on major Internet resources, primarily opposition-oriented ones, as well as to litter social networks with propaganda postings from fictitious users.
Writing software for the functioning of botnets, their operation, support and rental is the largest business, existing and actively developing for more than 15 years. The visible part of it consists of semi-legal companies that sell software, provide secure anonymous hosting and various cryptographic services. As a rule, they are registered and operate within jurisdictions that guarantee protection from prosecution by foreign law enforcement agencies and non-disclosure of data about the clients of such firms.
Almost all countries are actively fighting against malicious botnets, and almost everywhere intelligence services use these same technologies for their own purposes - without particularly advertising it, but without hiding it too much. Such coexistence is objectively beneficial to both parties, which is why we very rarely hear reports of the elimination of large botnets, the very fact of whose existence provides the necessary balance of interests. Such networks are able to function successfully for a long time without detecting themselves.
According to experts, the average lifespan of botnets maintained by highly qualified specialists can range from seven months to three years. According to Trustwave data from February 2013, on average it takes more than 210 days before a network attack is detected, and the intrusion is not detected due to any anti-virus software, but solely due to customer complaints and questions arising from banking institutions and law enforcement agencies Moreover, in five percent of cases, a network attack was discovered more than three years (!) after it began.
It is clear that such results are achieved only by well-organized groups, employing highly qualified professionals. The services of such botnets are available only to large businesses and intelligence services, not only because of the cost of tens of millions of dollars, but also because of the deepest conspiracy. Meanwhile, there are a huge number of quite effective networks of a much smaller scale operating in the world, focused on short-term attacks. Even a student can afford to organize such networks, and it is quite possible that your business competitor “put up” your website for a week for a completely ridiculous amount.
The cost of organizing a “budget” botnet today is only about $600. At the same time, the owner of such a network is not at all responsible to understand programming and network protocols - for this money he can get not only fresh code, secure hosting and cryptographic services, but also round-the-clock technical support, regular updates and any other service, the level of which other international corporations.
What makes up the price of a “budget” botnet, and how to find people providing such services? You will laugh, but just type the word “botnet” in the search bar of your browser and you will receive a huge number of links to forums that will offer you everything you want. Let us make a special reservation that this article is not at all instructions for bank robbery and other illegal activities, but only a general description of the offers available on the market. Therefore, there will be no direct hyperlinks here - those who are curious will have no problem finding all the products and services we mentioned on their own and will not forget about Articles 272 and 273 of the Criminal Code of the Russian Federation.
Read the user agreements and rules of the provider you like more carefully. LulzSec hacker group member Cody Kretsinger was arrested only because VPN provider HideMyAss.com, in accordance with its terms of service, provided all logs to police after receiving an official request.
A typical VPN provider, CryptoVPN, charges around $25 per month or around $200 per year for its services. Payments are accepted through Bitcoin, Liberty Reserve and other anonymous services.
Price: $25 per month.
A typical example is the Romanian hosting HostimVse with a site in Russian, offering hosting sites with pirated and pornographic content, protected from attacks by competitors, claims from users and not subject to the American DMCA law. The company also provides additional services, including protection against DDoS attacks. The price for a dedicated server starts at $30 per month, but the terms of service include conditions that allow you to cancel the contract if botnet activity is detected.
There are special services specifically for botnets and other malware, which are usually advertised exclusively through thematic forums, and ICQ or Jabber is used for contact. Many of them offer phone or Skype technical support and Apache configuration services.
Price starts at $50 per month plus support fees.
The registrar of such domain names must not have any special interest in your identity and must accept payments through anonymous services.
The security of domains is significantly enhanced by the use of Fast Flux masking technology, which hides real IP addresses by quickly changing (within a few seconds) the IP address in the DNS record to addresses from any of the machines included in the botnet. Double-flux networks use an additional layer - a bot service network, the IP addresses of which also constantly change, which provides an additional level of protection.
Unlike domains, the Fast Flux service costs a lot: maintaining five hidden DNS servers will cost at least $800. Therefore, for a “budget” botnet, it is better to start by purchasing several domain names.
Price – from $50 for five domain names.
Since the source code of previous versions of ZeuS was released in 2012, it has become open source, and there have been a ton of offers on the market selling the platform for around $125 with monthly updates for $15 and 24/7 support for $25 per month. Finally, it won't be difficult to find "hacked" versions of some platforms: you won't get any support or updates, but you won't pay a penny for them.
Price: $125 plus $40/month for updates and support.
There are injections for a variety of purposes - from the almost harmless generation of invisible clicks on viewing advertising banners to the collection of personal information and theft of online banking and payment system data. Through hacker forums you can purchase entire sets of injections along with the service for installing and configuring them.
Price: $80 per set plus $8 per month for support
The usual method of infection for most botnets is through the use of hyperlinks in spam email or advertising pages opened along with the main one, filled with many banners. Just one click on such a link leads to a redirect to the botnet node, where the type of software and hardware of the client is recognized, after which suitable exploits are sent to it.
Exploits are sold in sets or “bundles” or provided as an online service. The popular Phoenix package can be purchased for $120 plus $38 per month for updates and technical support, the online BlackHole service will cost $50 per day or $1,500 for an annual license when installed on a customer's server.
Price: $120 per set plus $38 per month for support and updates.
Many cryptors also have an “anti-sandbox” function: anti-virus programs can place recognized viruses in so-called “sandboxes” or virtual machines without the ability to execute their code on the system. Anti-sandbox recognizes the virtual environment and allows you to run only harmless code in it, hiding the main functionality.
Cryptor can be supplied as a separate utility for about $30, or as an online service - from $7 for one-time “cryption” to $20 per month for an unlimited license and related utilities.
Price – $20 per month for cryptor and utilities.
A more sophisticated option involves using personal information collected by another botnet to trick the victim into clicking on a link in an email or social network posting. Such a message could be disguised as a letter from a bank, from a car dealership or repair shop, from a hosting provider, from any online service, or even from any of your “friends.” By stealing the personal information of one member of a social network, you can include several of his “friends” in the botnet.
For a "budget" botnet, spam remains the best choice: it's cheap and still effective. Mailing to a random set of addresses costs from $10 per million letters, and to addresses noted to be interested in a certain topic - about 50.
Price: $50 for initial spam mailing.
Despite the fact that all major botnet platforms are well known to both antivirus companies and security specialists, they are perfectly disguised using available cryptors and droppers, and constantly improving exploit kits can infect almost any machine. According to the website ZeusTracker, on average, antivirus software recognizes the code of just over 38 percent of installed botnets on the ZeuS platform. So all this really works, and scammers around the world are actively using botnets. Of course, networks run by non-professionals are discovered much faster, including by law enforcement agencies, but this does not reduce the number of people who want to deceive fate.
What's frightening about this whole story is not the cheapness of the “entry ticket” to the world of modern cybercrime, or even the fact that creating your own botnet no longer requires even basic programming skills. It's scary how easily people click on strange links and go to random sites. But this remains the main way to infect a computer and turn it into a combat unit of a network of robots controlled by attackers.
Source: http://www.computerra.ru
At the same time, the tasks that a botnet can solve can be very different: from the classic and completely harmless collection of email addresses and subsequent sending of spam to theft of information about bank accounts and commercial espionage. In Russia, botnets have recently been most often used for DDoS attacks on major Internet resources, primarily opposition-oriented ones, as well as to litter social networks with propaganda postings from fictitious users.
Writing software for the functioning of botnets, their operation, support and rental is the largest business, existing and actively developing for more than 15 years. The visible part of it consists of semi-legal companies that sell software, provide secure anonymous hosting and various cryptographic services. As a rule, they are registered and operate within jurisdictions that guarantee protection from prosecution by foreign law enforcement agencies and non-disclosure of data about the clients of such firms.
Almost all countries are actively fighting against malicious botnets, and almost everywhere intelligence services use these same technologies for their own purposes - without particularly advertising it, but without hiding it too much. Such coexistence is objectively beneficial to both parties, which is why we very rarely hear reports of the elimination of large botnets, the very fact of whose existence provides the necessary balance of interests. Such networks are able to function successfully for a long time without detecting themselves.
According to experts, the average lifespan of botnets maintained by highly qualified specialists can range from seven months to three years. According to Trustwave data from February 2013, on average it takes more than 210 days before a network attack is detected, and the intrusion is not detected due to any anti-virus software, but solely due to customer complaints and questions arising from banking institutions and law enforcement agencies Moreover, in five percent of cases, a network attack was discovered more than three years (!) after it began.
It is clear that such results are achieved only by well-organized groups, employing highly qualified professionals. The services of such botnets are available only to large businesses and intelligence services, not only because of the cost of tens of millions of dollars, but also because of the deepest conspiracy. Meanwhile, there are a huge number of quite effective networks of a much smaller scale operating in the world, focused on short-term attacks. Even a student can afford to organize such networks, and it is quite possible that your business competitor “put up” your website for a week for a completely ridiculous amount.
The cost of organizing a “budget” botnet today is only about $600. At the same time, the owner of such a network is not at all responsible to understand programming and network protocols - for this money he can get not only fresh code, secure hosting and cryptographic services, but also round-the-clock technical support, regular updates and any other service, the level of which other international corporations.
What makes up the price of a “budget” botnet, and how to find people providing such services? You will laugh, but just type the word “botnet” in the search bar of your browser and you will receive a huge number of links to forums that will offer you everything you want. Let us make a special reservation that this article is not at all instructions for bank robbery and other illegal activities, but only a general description of the offers available on the market. Therefore, there will be no direct hyperlinks here - those who are curious will have no problem finding all the products and services we mentioned on their own and will not forget about Articles 272 and 273 of the Criminal Code of the Russian Federation.
1. Secure virtual private network (VPN)
Before you start building a botnet, you need to hide as carefully as possible from the watchful eyes of antivirus companies, security specialists, competitors and, of course, law enforcement agencies. To do this, you need a virtual private network (VPN) provider that is not interested in your real name, that will not disclose your logs to anyone for legal or technical reasons, and that accepts payments through anonymous payment systems.Read the user agreements and rules of the provider you like more carefully. LulzSec hacker group member Cody Kretsinger was arrested only because VPN provider HideMyAss.com, in accordance with its terms of service, provided all logs to police after receiving an official request.
A typical VPN provider, CryptoVPN, charges around $25 per month or around $200 per year for its services. Payments are accepted through Bitcoin, Liberty Reserve and other anonymous services.
Price: $25 per month.
2. Reliable hosting
Having hidden your network, you need to find a reliable place to host the botnet control center. It's worth looking for those who don't care what you do on their servers and who won't clean out your specific software during regular anti-virus scanning. Such hosters are located either in countries with a liberal attitude towards computer piracy, or in countries that are not inclined to cooperate with foreign law enforcement agencies.A typical example is the Romanian hosting HostimVse with a site in Russian, offering hosting sites with pirated and pornographic content, protected from attacks by competitors, claims from users and not subject to the American DMCA law. The company also provides additional services, including protection against DDoS attacks. The price for a dedicated server starts at $30 per month, but the terms of service include conditions that allow you to cancel the contract if botnet activity is detected.
There are special services specifically for botnets and other malware, which are usually advertised exclusively through thematic forums, and ICQ or Jabber is used for contact. Many of them offer phone or Skype technical support and Apache configuration services.
Price starts at $50 per month plus support fees.
3. Reliable domain and Fast Flux
To reliably communicate with bots, you will need domain names with full access to DNS settings. To avoid quick detection of the “command center” when connecting to infected networks, you will need several domain names.The registrar of such domain names must not have any special interest in your identity and must accept payments through anonymous services.
The security of domains is significantly enhanced by the use of Fast Flux masking technology, which hides real IP addresses by quickly changing (within a few seconds) the IP address in the DNS record to addresses from any of the machines included in the botnet. Double-flux networks use an additional layer - a bot service network, the IP addresses of which also constantly change, which provides an additional level of protection.
Unlike domains, the Fast Flux service costs a lot: maintaining five hidden DNS servers will cost at least $800. Therefore, for a “budget” botnet, it is better to start by purchasing several domain names.
Price – from $50 for five domain names.
4. Platform and control center (C&C)
There are several well-known software platforms for creating botnets - Carberp, Citadel, SpyEye, ZeuS, and their prices can vary by orders of magnitude. In particular, the Carberp developers, immediately before the arrest, asked for $40,000 for the kit, and the first versions of ZeuS cost about $400. Modified versions of ZeuS with rootkit functionality and a set of software for a novice user will cost $1,500. ZeuS's young competitor, SpyEye with a set of injector modules, costs about the same.Since the source code of previous versions of ZeuS was released in 2012, it has become open source, and there have been a ton of offers on the market selling the platform for around $125 with monthly updates for $15 and 24/7 support for $25 per month. Finally, it won't be difficult to find "hacked" versions of some platforms: you won't get any support or updates, but you won't pay a penny for them.
Price: $125 plus $40/month for updates and support.
5. Web injection kits
The popularity of the ZeuS platform has given rise to an entire ecosystem of software plugins that modify or supplement the functionality of the botnet. A significant part of them are occupied by so-called injections - modules that control the bot, allowing you to monitor the desired type of activity in the browser and, when visiting infected sites, “injecting” them, introducing the necessary code into the browser .There are injections for a variety of purposes - from the almost harmless generation of invisible clicks on viewing advertising banners to the collection of personal information and theft of online banking and payment system data. Through hacker forums you can purchase entire sets of injections along with the service for installing and configuring them.
Price: $80 per set plus $8 per month for support
6. Bundles of exploits and online services
To penetrate a victim's machine and turn it into a bot, it is necessary to bypass standard and anti-virus protection. For this purpose, special programs are used - exploits that use vulnerabilities in the browser, operating system or other software to gain remote control over the system.The usual method of infection for most botnets is through the use of hyperlinks in spam email or advertising pages opened along with the main one, filled with many banners. Just one click on such a link leads to a redirect to the botnet node, where the type of software and hardware of the client is recognized, after which suitable exploits are sent to it.
Exploits are sold in sets or “bundles” or provided as an online service. The popular Phoenix package can be purchased for $120 plus $38 per month for updates and technical support, the online BlackHole service will cost $50 per day or $1,500 for an annual license when installed on a customer's server.
Price: $120 per set plus $38 per month for support and updates.
7. Cryptors and droppers
To prevent anti-virus software from detecting files downloaded to the victim's computer based on its signature and blocking them, so-called cryptors are used to encrypt the signatures of the Trojan and related files. The result of the cryptor's work is a dropper capable of installing encrypted files into the system, including modifying executable files, as well as downloading additional pieces of malicious code and other data to the infected machine.Many cryptors also have an “anti-sandbox” function: anti-virus programs can place recognized viruses in so-called “sandboxes” or virtual machines without the ability to execute their code on the system. Anti-sandbox recognizes the virtual environment and allows you to run only harmless code in it, hiding the main functionality.
Cryptor can be supplied as a separate utility for about $30, or as an online service - from $7 for one-time “cryption” to $20 per month for an unlimited license and related utilities.
Price – $20 per month for cryptor and utilities.
8. Spam and social engineering services
To force future bots to click on the desired hyperlink and infect their machine, a variety of social engineering tools are used. The classic method is “good old” spam. You can simply buy a database of email addresses or use the services of another botnet that specializes in spam. Such botnets are more effective because they have refocused on popular social networks, as well as sending SMS and MMS, and payment is made not for the posted message, but for the hit.A more sophisticated option involves using personal information collected by another botnet to trick the victim into clicking on a link in an email or social network posting. Such a message could be disguised as a letter from a bank, from a car dealership or repair shop, from a hosting provider, from any online service, or even from any of your “friends.” By stealing the personal information of one member of a social network, you can include several of his “friends” in the botnet.
For a "budget" botnet, spam remains the best choice: it's cheap and still effective. Mailing to a random set of addresses costs from $10 per million letters, and to addresses noted to be interested in a certain topic - about 50.
Price: $50 for initial spam mailing.
Cheap and cheerful
As you can see, the investment in creating and operating a “low-cost” botnet during the first month is only $606. An absolutely ridiculous amount, accessible to almost everyone, especially compared to the potential benefits. And such cheapness does not mean ineffectiveness.Despite the fact that all major botnet platforms are well known to both antivirus companies and security specialists, they are perfectly disguised using available cryptors and droppers, and constantly improving exploit kits can infect almost any machine. According to the website ZeusTracker, on average, antivirus software recognizes the code of just over 38 percent of installed botnets on the ZeuS platform. So all this really works, and scammers around the world are actively using botnets. Of course, networks run by non-professionals are discovered much faster, including by law enforcement agencies, but this does not reduce the number of people who want to deceive fate.
What's frightening about this whole story is not the cheapness of the “entry ticket” to the world of modern cybercrime, or even the fact that creating your own botnet no longer requires even basic programming skills. It's scary how easily people click on strange links and go to random sites. But this remains the main way to infect a computer and turn it into a combat unit of a network of robots controlled by attackers.
Source: http://www.computerra.ru
