Pierluigi Paganini February 14, 2013

Internet is becoming a mine for criminals that in easy way are able to access to any kind of resources to arrange a cyber attacks, a cyber espionage campaign or a complex banking fraud.

What is very scaring is the simplicity with which it is possible to acquire any kind of criminal services in the underground and the creativity of cyber criminals that are able to offer model of sale efficient as cheap. In the past I proposed in different posts information related to the sales in the underground market, especially the Russian one that is considered the most active.

In the last month various malicious campaigns have been launched by cyber criminals with specific intent to infect the largest number of machines composing dangerous botnets. The availabilities of a great number of infected machines translates into the availability of valuable resources and services to be marketed by cybercrime gaining considerable profits.

Cyber criminals are offering malware-infected-hosts, also known as loads, in a model of sale that proposes the monetization of bots activities through its rent of the compromised systems.

Of course the services offered are totally customizable, clients can choose the type of malware that infects the victims and their geographic location, it is possible rent US-based malware infected hosts or machine in European Union.

Security expert Dancho Danchev in a post on Webroot threat blog revealed newly launched underground service offering access to thousands of malware-infected machine for upsetting prices, a thousand US-based hosts costs $200 meanwhile for a thousand EU-based hosts price varies between $60/$120, and the price for a thousand international mix type of hosts is $20.

The different prices applied are calculated bases on purchasing power and long-term value of a malware-infected host, US users are considered by cybercriminal organization the most wealthy, the pricing policy is very diffused, in many cases the malicious services are sold to US users at higher prices, I add that probably there are also other considerations behind cost evaluation such as specificity of the demand in specific areas and cost to maintain alive botnet in countries in which cyber security is more responsive.

Dancho Danchev a couple of years ago conducted an interesting study on botnet renting:

“The logical shift from static pricing lists, to the embracing of multiple pricing schemes such as price discrimination (differentiated pricing), or penetration pricing, naturally resulted in different prices for different targeted groups.”

Which are the principal use of thousands of infected hosts?

Typically the criminals are interested to the arrangement of cyber frauds and a so wide number of machines could be used for launching related malicious and fraudulent campaigns, in other cases they search for new infected machines in possession of clean IP reputation, IP reputation is an essential component for the efficiency of botnets.

The post highlight the use of “partitioned” access to botnet to further disseminate malware variants, in many cases security experts discover inter-connections between different malware families spread by the same group of compromised machines, circumstance that suggest the promiscuous use of the machines.

The model of sale appears ideal for those criminals that desire to spread malware without be bothered with botnet management and hosts recruiting, due this reason cyber criminals opt to rent an exploit service.

Damballa Labs recently investigated a criminal infrastructure being used by a person or group running a Critx exploit kit rental service.

The exploit kit is being rented or leased on its own criminal infrastructure, for which the cyber criminals have already build up the malicious services adopting al necessary precautions, such as multiple IP addresses and redundancy, to avoid botnet takedowns.

Few months ago security researchers from Symantec discovered Malware-infected computers rented as proxy servers on the black market. Cyber criminals using a malware were able to turn infected computers into SOCKS proxy servers to which access is then sold, they used compromised host to power a commercial proxy service that tunnels potentially malicious traffic through them.

The example provided are the demonstration of how much prolific is the model of sale known as “malware as service”, a monetization schema that will we will encounter more and more often in the months to come.

Pierluigi Paganini