Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Coming Botnet Stock Exchange

Posted by Soulskill on from the where-do-i-go-to-invest dept.

Trailrunner7 writes "Robert Hansen, a security researcher and CEO of SecTheory, has been gleaning intelligence from professional attackers in recent months, having a series of off-the-record conversations with spammers and malicious hackers in an effort to gain insight into their tactics, mindset and motivation. 'He's not the type to hack randomly, he's only interested in targeted attacks with big payouts. Well, the more I thought about it the more I thought that this is a very solvable problem for bad guys. There are already other types of bad guys who do things like spam, steal credentials and DDoS. For that to work they need a botnet with thousands or millions of machines. The chances of a million machine botnet having compromised at least one machine within a target of interest is relatively high.' Hansen's solution to the hacker's problem provides a glimpse into a business model we might see in the not-too-distant future. It's an evolutionary version of the botnet-for-hire or malware-as-a-service model that's taken off in recent years. In Hansen's model, an attacker looking to infiltrate a specific network would not spend weeks throwing resources against machines in that network, looking for a weak spot and potentially raising the suspicion of the company's security team. Instead, he would contact a botmaster and give him a laundry list of the machines or IP addresses he's interested in compromising. If the botmaster already has his hooks into the network, the customer could then buy access directly into the network rather than spending his own time and resources trying to get in."

13 of 105 comments (clear)

  1. Honeypot? by dhanson865 · · Score: 4, Insightful

    Yeah, interesting concept but the fear would be that the botnet owner would respond by saying knock, knock, the FBI is here (substitute the agency you think applies if the FBI isn't your cup of tea).

    If you do something yourself you know all the players. If you pay someone to do it you don't know if you are walking into a trap.

    disclaimer: I'm not too worried about this as I don't plan on taking either route.

    1. Re:Honeypot? by dch24 · · Score: 3, Interesting

      Business does require a certain amount of trust, but it's amazing how money talks. For example, the conversation might go like this:

      "Uh, I don't trust you but I want to search your botnet. Strictly for research purposes."
      "I'm trustworthy. I control such-and-such handle over at such-and-such forum. I'm going to post '(some message)' in 5 minutes -- that proves it. But my botnet is expensive. Can you pay?"
      "Yeah, here's a paypal gift to prove I have funds."
      "Ok, I'm listening. What do you want?"
      (And the negotiation goes on from there.)

      This is an Apple-like vertical integration of services (but for botnets). The same guy who has "owned" the hardware offers "other services" on his "platform." I couldn't keep a straight face as I typed that.

      I don't really think this is a "stock exchange."

    2. Re:Honeypot? by Anonymous Coward · · Score: 3, Informative

      This particular problem already exists - and yet there are online exchanges to buy/swap/sell credit card information, bank account info etc. The risk is sold off - so if a guy has 1000 bank accounts (+pin + atm card number etc) with an average of $10,000 on each of them, he sells it to someone who will actually do the hard work at say $20 per account.

      Your argument would be the same at the exchanges too... but they exist and thrive. So, a botnet selling cloud computing power is not far fetched.

    3. Re:Honeypot? by fuzzyfuzzyfungus · · Score: 5, Insightful

      There is a notable risk for the botnet owner, as well.

      If I am a security guy for some entity that I fear may contain compromised systems, and potentially be the target of more focused attacks, I can use this hypothetical "botnet stock exchange" to verify my suspicions. "So, I'm interested in buying access to hosts within OWN_IP_BLOCK, anybody have some?" If no, breath slightly easier. If yes, I now know which of my hosts need serious inspection and rebuilding.

      Depending on exactly how the exchange is run, basic checks(ie. botnet or no botnet, not necessarily specific hosts) might well be cheap or even free. You don't have much of a market if people can't ask "Is anybody selling X?" and receive a useful answer. More specific answers would probably cost you, as would the services of the sorts of grey hats who work for white hats but can talk to black hats; but there are certainly circumstances where it could be cost effective.

  2. Bad title by Galestar · · Score: 5, Insightful

    How is this a "stock exchange"?

    --
    AccountKiller
    1. Re:Bad title by K.+S.+Kyosuke · · Score: 3, Funny

      I guess they are going to set up their office at Firewall Street.

      --
      Ezekiel 23:20
    2. Re:Bad title by Anonymous Coward · · Score: 5, Funny

      Both involve trusting your money to less than scrupulous people to do all the work for you in hopes that you'll get back more than you put in with no rational reason to back up this hope.

      Actually I take that back. The hackers will at least worry about their reputation.

    3. Re:Bad title by eviloverlordx · · Score: 5, Funny

      Just wait. In a few years, they'll be applying for a bailout, too.

      --
      'Loose' is when your pants are three sizes too big. 'Lose' is when you misuse 'loose'.
  3. How to Pay? by MrTripps · · Score: 5, Funny

    So you have just hired a bot master. How do you pay them? You know they are dirty hackers, so it isn't like you would just give them your credit card number or Pay Pal account. Maybe the guy just wakes up and finds a crate of Jolt and Hot Pockets on his doorstep.

    --
    "I'm not a quack, I'm a mad scientist! There's a difference." - Dr. Cockroach
    1. Re:How to Pay? by v1 · · Score: 4, Funny

      I can hook you up with an acquaintance in Nigeria that's very good with money transfers aquaintenance, let me know.

      --
      I work for the Department of Redundancy Department.
    2. Re:How to Pay? by St.Creed · · Score: 3, Informative

      That would require physical access to the botnet-master (risky) or knowledge of the physical whereabouts of said person (risky again).

      No, I'd much rather set up a paypal account with a fake firm in Tonga, linked to another fake firm on the Cayman Isles. It's apparently impressively difficult to get any information out of Tonga regarding business owners, whatever their background. The same goes for the Cayman Isles. And you could always route it again through Tonga, for double fun. And you wouldn't even have to leave your house. And the best news: there are already providers for it.

      --
      Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
  4. Be careful what you wish for. by khasim · · Score: 3, Insightful

    Why not hold microsoft responible for their own products too?

    And what happens to FOSS developers who accidentally leave a bug in their code?

  5. Re:I can't believe we are still discussing this .. by Galestar · · Score: 5, Insightful

    You have oversimplified the issue. The root causes are;
    1. Windows / [insert other exploitable program here (ie. Flash/Adobe PDF reader)]
    2. Stupid users

    If your user downloads and runs malware, there's almost nothing your OS can do to stop it. The only way to stop it is to force application signing... but who really wants that?

    So tell me, which OS would you choose that could stop all malware even with stupid users?

    --
    AccountKiller