What is very frightening is the simplicity with which it is possible to acquire any kind of criminal services in the underground and the creativity of cyber criminals that are able to offer a business model that is both efficient and inexpensive. This is especially true of the Russian criminal underground which is the one that is considered the most active globally.
In the last month various malicious campaigns have been launched by cyber criminals with specific intent to infect the largest number of machines composing dangerous botnets. The availabilities of a great number of infected machines translates into the availability of valuable resources and services to be marketed by cybercrime organizations.
Cyber criminals are offering malware-infected-hosts, also known as “loads”, in a new business model that proposes the monetization of botnet activities through renting of the compromised systems. Of course the services offered are totally customizable, clients can choose the type of malware that infects the victims and their geographic location, it is possible rent US-based malware infected hosts or machine in European Union.
Security expert Dancho Danchev in a post on Webroot threat blog revealed newly launched underground service offering access to thousands of malware-infected machine for unsettlingly low prices, a thousand US-based hosts costs $200 meanwhile for a thousand EU-based hosts price varies between $60/$120, and the price for a thousand international mix type of hosts is $20.
The different prices applied are calculated based on purchasing power and long-term value of a malware-infected host, US users are considered by cybercriminal organization the most wealthy, the pricing policy varies, so in many cases the malicious services are sold to US users at higher prices. I add that probably there are also other considerations behind cost evaluation such as specificity of the demand in specific areas and cost to maintain alive botnet in countries in which cyber security is more responsive.
Dancho Danchev a couple of years ago conducted an interesting study on botnet renting:
“The logical shift from static pricing lists, to the embracing of multiple pricing schemes such as price discrimination (differentiated pricing), or penetration pricing, naturally resulted in different prices for different targeted groups.”
What are the principal uses of thousands of infected hosts?
Typically the criminals are interested in the arrangement of cyber frauds and so large number of machines is used for launching related malicious and fraudulent campaigns (i.e. , in other cases they search for new infected machines in possession of clean IP reputation. IP reputation is an essential component for the utility of botnets.
The post highlights the use of “partitioned” access to botnet to further disseminate malware variants; in many cases security experts discover inter-connections between different malware families spread by the same group of compromised machines. A circumstance that suggest the promiscuous use of the machines. The business model appears ideal for those criminals that desire to spread malware without be bothered with botnet management and hosts recruiting; many cyber criminals therefore opt to rent an exploit service.
Damballa Labs recently investigated a criminal infrastructure being used by a person or group to run a CritX exploit kit rental service.
The exploit kit is being rented or leased on its own criminal infrastructure, for which the cyber criminals have already built up the malicious services including all necessary precautions, such as multiple IP addresses and redundancy, to avoid botnet takedowns.
A few months ago security researchers from Symantec discovered Malware-infected computers rented as proxy servers on the black market. Cyber criminals using a malware were able to turn infected computers into SOCKS proxy servers to which access is then sold, they used compromised host to power a commercial proxy service that tunnels potentially malicious traffic through them.
The case provided a demonstration of how common the “malware as service” model has become. This is a monetization schema that will we will encounter more and more often in near future.