Friday, April 12, 2013

A beginner’s guide to building botnets—with little assembly required

For a few hundred dollars, you can get tools and 24/7 support for Internet crime.

Have a plan to steal millions from banks and their customers but can't write a line of code? Want to get rich quick off advertising click fraud but "quick" doesn't include time to learn how to do it? No problem. Everything you need to start a life of cybercrime is just a few clicks (and many more dollars) away.
Building successful malware is an expensive business. It involves putting together teams of developers, coordinating an army of fraudsters to convert ill-gotten gains to hard currency without pointing a digital arrow right back to you. So the biggest names in financial botnets—Zeus, Carberp, Citadel, and SpyEye, to name a few—have all at one point or another decided to shift gears from fraud rings to crimeware vendors, selling their wares to whoever can afford them.
In the process, these big botnet platforms have created a whole ecosystem of software and services in an underground market catering to criminals without the skills to build it themselves. As a result, the tools and techniques used by last years' big professional bank fraud operations, such as the "Operation High Roller" botnet that netted over $70 million last summer, are available off-the-shelf on the Internet. They even come with full technical support to help you get up and running.
The customers of these services often plan more for the short term than the long game played by the big cyber-crime rings. They have very different goals. Botnet infrastructures can be applied in lots of ways for different sorts of profit—cash, information, or political gain. There are many ways to make money off botnets beyond outright theft, such as using them to steal advertising clicks, generate spam e-mails for a paying client, or renting out bots for denial-of-service attacks. And the same basic principles used to distribute botnets have been creeping up in more targeted attacks to steal intellectual property or to spread the malware used in the recent "wiper" attack on South Korean banks and broadcasters.
So how easy is it to get into the botnet business? Well, Ars decided to find out. Given the surprising availability of botnet building blocks online, I set out to build a shopping list to understand how everything is bought and sold within this black market. It all started with checking sources through a few Web searches then making trips into Web forums I dared visit only with a virtual machine and Google Translator's help. All I had to do was paste in "botnet" in Cyrillic, and I was on my way down the rabbit hole.
To assemble your list for some of the simplest get-rich-quick schemes, all you need is about $600, a little spare time, and no compunctions about breaking laws to make a profit. I didn't deploy an Ars-enal of botnet destruction in the end, but I absolutely could have. That may be the scariest lesson here.

It looks like you’re trying to build a botnet…

There are no personal shoppers to help walk you through the underground marketplaces to identify what fits a particular criminal scheme—though there may be plenty of people willing to give you paid advice on how to get started. With absolutely no budget for bitcoins, I got my start with some help from Max Goncharov, a security researcher for Trend Micro who specializes in following the Russian underground marketplaces for online fraud services. Goncharov came to Washington, DC in late March for a Trend Micro press briefing, and he laid out some of the basic things that go into a beginner fraudster's software and services shopping cart: botnets, malware-spreading tools, and hacking for hire. (Goncharov detailed some of these services in a paper published late last year and presented during this press road show.) Goncharov's suggested setup came with a $595 price tag for the first month of operations and a monthly cost of $225 to sustain the operation.
Of course, that price is for a particular type of botnet. It isn't representative of everything that's running wild on the Internet today. It also assumes total noob-hood. For those seeking to do something a little less overtly criminal than stealing credit card numbers or committing wire fraud, there are less expensive options. With a little sweat equity, you can pull off a workable botnet for a fraction of that price. If you're willing to try it without the benefits that come from paying professionals—like software updates, monitoring services, and 24/7 technical support—you can cut the cost back even further.
With my rough estimate in place, it was time to actually start some research of my own. Hello overseas VPN connection, Google Translator, and Google.ru—time for the underground hacker marketplace.

The marketplace of (bad) ideas

The "underground" forums do more than just give would-be criminals access to a level of service that might make some enterprise software companies look bad. They also act as a sort of hiring hall for people with very specific skills (like hacking webmail accounts) or botnets of their own ready to do a paying customer's bidding. On these barely underground sites, hacker wares are made available to anyone willing to pay. Current versions of Zeus and SpyEye botnet software are for sale, or you can find the last version cracked by someone for cheap or free.
Many of the sites run under the thin veneer of "security" discussion boards. But they're often paid for by advertisements for the tools sought by a certain class of cyber-criminal: botnet-herders and the service provider ecosystem that has sprung up around them. These are largely the small and medium businesses of cybercrime, following a well-worn approach to making money. If you cast a big enough net, you're bound to catch some fish.
The botnet herders' standard business plan is to "use exploit kits, and then run a phishing campaign or some sort of campaign against massive numbers of people with hopes that someone is going to click on a link and get the exploit to drop a botnet or banking trojan onto their machine," said Nicholas J. Percoco, senior vice-president of Trustwave and head of the company's SpiderLabs penetration testing and security research team. "Once they've done that, it goes down the path of them monitoring them when they do banking transactions, or the botnet may be involved in spam or distributed denial of service attacks. Or maybe it's a sort of Swiss Army knife botnet that can do many different things depending on what that botnet herder decides, or what he makes it available to do for people who want to utilize his or her botnet."
No matter what the racket, Percoco told Ars, the equation for botnet herders is the same. "From a criminal's perspective, they're looking at massive numbers of attacks to achieve their financial goals."
They're also looking at massive turnover. When a piece of malware like a botnet lands on thousands of PCs, "it may hit the radar of an antivirus company pretty quickly," Percoco noted. That means time and money spent on finding new victims, deploying patches and updates, paying for new exploits, and generally continuing the game of "whack-a-mole" with antivirus companies and other organizations—as the mole.

Building a botnet shopping list

I did some additional research afterward to check Goncharov's math, and I also looked at some alternative approaches. The underground software market for hacking, fraud, and botnet tools has matured to the point where developers provide most of what you'd expect from legitimate software and online service providers—maybe even more. There's full support for the paid services, including 24/7 voice support in some cases, in a business where positive word of mouth in forums is the best (and often only) advertising. And there's no shortage of "consultants" to help you get started.
Botnet software itself is an important part of the whole equation, but it's only a fraction of first-month startup costs—and one that's fungible if you're willing to invest some of your own sweat equity in the setup (or dispense with the "legitimate" route and use a cracked version without software support). Just like any Internet business, launching a financial fraud botnet—or any kind of long-running botnet endeavor—requires a sustainable business plan. You need to know your target market, ensure distribution, keep your installed base a step ahead of the competition, and keep your business processes secure.
Here's a typical botnet-herder's startup shopping list:

A “bulletproof” VPN

Before you start building a bot army of incredible magnitude, you need—just as with any other hacking endeavor of questionable legality—to hide yourself from prying eyes. That means using some sort of tool to avoid monitoring by your ISP, law enforcement, and other cybercriminals. Generally speaking, the best way is a virtual private network.
As confessed LulzSec member Cody Kretsinger found out, not all VPN providers are created equal. He used a service called HideMyAss.com, a VPN and proxy service run by UK-based Privax Ltd. Unfortunately, he didn't read the company's privacy and legal policies, and they gave up his logs when law enforcement came knocking. "Bulletproof" VPN services are ones that claim to be shielded from law enforcement requests because of their location or logging practices. Many of these services have disclaimers about "abuse" of the services, but the fact is that they take a number of anonymous forms of payment (CryptoVPN, for example, accepts Liberty Reserve, Bitcoin, and a number of other similar anonymous payment services). At worst, these services may just cancel your account if it attracts too much trouble.
A typical "bulletproof" VPN service, such as CryptoVPN runs about $25 a month. If you're thinking long-term, you can sign-up for $200 a year. However, it's best not to think long-term if you're botnet-herding; it may behoove you to change services every now and then to keep your profile low.
Budget Botnet Shopper's Price: $25 / month.

A “bulletproof” host

Once you've got your network secured, you need some place to host your botnet's command and control network and all of the other assorted badness needed to launch a massive assault on the unsuspecting world. For those without the skills, time, or desire to simply go hack someone else's server every couple of weeks, that means buying a dedicated or virtual dedicated server from someone who doesn't care what you're doing—lest your botnet's nerve center be wiped during a security sweep or seized by law enforcement.
There are many kinds of "bulletproof" hosts catering to various kinds of customers. Most of them buy space in data centers around the world in places with either weak data privacy laws or plain disregard for what other countries' laws say. This provides a sort of insurance policy for their customers, Goncharov said. At a minimum, the data on the servers won't be given up to law enforcement.
Some are smaller hosting companies such as Hostim VSE, a Romanian hosting company with a Russian language website more targeted at protecting pornographers, pirates, and other targets of DMCA takedown requests. Hostim VSE publicly denounces botnetters and financial fraudsters to prevent attention from local law enforcement. It describes "bulletproof hosting" as "hosting resistant to complaints and other types of attacks on competitors. When placed on a standard website hosting, your site can receive complaints from competitors under the guise of copyright holders. In consequence of this, most other hosting providers disable your site until the circumstances [change]. We also review all such complaints, check its validity, conduct a site audit, demand [the accuser] to produce documents confirming the rights, and otherwise deal with all to settle the conflict, and only then disable the client's site."
All of this, the company says with a wink, takes a lot of time and human resources, and as a small company there may be some delays before it gets around to it. In other words, "don't worry—we're inefficient." Hostim VSE's dedicated servers start at $39/month with additional charges for more bandwidth. The company also, ironically, provides DDoS protection and other support services. But prices for its services will rise dramatically if you're attracting too much attention or using too much bandwidth.
For really hard-core criminal undertakings, there are the more specialized underground "bulletproof" hosting services that are run specifically for malware owners. These offer hosting at a significant markup in exchange for looking the other way. These operations generally don't maintain webpages. They advertise strictly in underground forums and do business over ICQ, Jabber, and other instant messaging.
Enlarge / An ad on a Russian "underground" board for "bulletproof" hosting.
Mihai Ionut Paunescu, the 28-year old Romanian behind underground host powerhost.ro, was caught in December by Romanian authorities. His servers were home to the Gozi financial malware command and control network. Paunescu kept tabs on exactly what sort of business his users were up to and charged accordingly. In some cases, the rates reached thousands per month, averaging better than a 100-percent margin on the servers he managed.
Of course, many of these hosting companies provide support (in some cases, 24-hour voice support via phone or Skype) and help with configuring Apache and MySQL on dedicated hosts for customers who are generally clueless about such things.
Budget Botnet Shopper's Price: $50/month, plus spot "consulting."

Bulletproof domains and “fast flux”

In order for your bots to reach your host reliably, you need some domain names—fully qualified domain names that allow you to have full control over the domain name service (DNS). You'll want a bunch so you can avoid making yourself obvious in the DNS logs of networks that get infected.
You'll also want to register those domains with a registrar that's not going to roll on you and shut you down on the first complaint of abuse. You need someone who will shield your identity from the prying eyes of security firms and law enforcement. In other words, you want a bulletproof registrar. Preferably, it's one that accepts payments via Western Union or some other anonymous service.
Of course, it's never a bad idea to have some additional protection to make sure that you cover your trail completely by using a "fast flux" scheme. This hides your servers' true location by assigning the DNS addresses to a rapidly changing set of proxies. Fast flux providers will take your domains—or even register them for you—and then assign host names to a collection of their own bots. These in turn pass traffic between your bots and your server. By using a short "time to live" for the host "A" name records in the DNS server, fast flux systems create hundreds of potential communication paths for the bots.
Fast flux service is costly. An advertisement on one forum recently offered to support five DNS name servers for customers starting at $800. So for most starting botnet operations getting their feet wet, just registering a few domain names may be enough to begin with.
Budget Botnet Shopper's Price: $50 for five domains.

Your choice of botnet / C&C platform

The current editions of botnet-building frameworks are sometimes sold by their developers for premium prices. Carberp was sold by its developers prior to their recent arrest for a whopping $40,000 as a kit, while the current Zeus toolkit sold for about $400 when it first hit the market. But the market pays what the market can bear, and most first-timers can find less expensive options that are easier to sustain.
Enlarge / A modified version of Zeus retooled with beginner kits, available starting at $1,300.
Do-it-yourselfers who don't care about things like patches and full support can find "cracked" versions of some of these toolkits (or ways to disable their licensing code) for free. There's also an option to pick up older but still supported versions on the aftermarket. Zeus' source code was released to the world last year, sort of turning it into "open source," so you can now purchase supported versions of it for $125, plus $15 per month for updates to the code and $25 for monthly 24/7 new customer support. That could include everything from helping a noob fix a misconfigured server to doing a whole walkthrough of configuring the PHP scripts and MySQL backends for the system over Skype. You could always just use one of those YouTube guides, though, and save some money.
Budget Botnet Shopper's Price: $125, plus $40/month for support.

Web attack “injector” kits

The Zeus botnet's market dominance has created a whole additional ecosystem of software add-ons to make its bots do various things. A big part of that market is "injectors"—the add-on modules that tell the bot what to watch for in browser activity and what code to inject into the browser when it visits targeted websites.
There are financial botnet injectors that insert Web code into banking sites. These injectors try to grab your personal information to hijack your account, make wire transfer withdrawals, or even change the values presented in your online statement to conceal all of it.
Other types of injectors could be used for things like click-fraud—changing the links that users click on to direct them to different websites, while sending a referral code to a Web advertising provider to collect the pay-per-click. Some new botnets have been configured to simply generate clicks in the background on webpages without the computer user seeing them, creating ad revenue without the user scratching his head about why he ended up on a Russian porn site instead of the car insurance site he was trying to visit.
Beginners can buy injector packs for a set of banks through marketplaces and pay for direct support to help install, tune and customize them. In some cases, these require some server setup as well to properly harvest the data collected. It sounds complicated, but there are people happy to help you figure it all out for a small fee.
Budget Botnet Shopper's Price: $80, plus $8/month for support.

An exploit tool or service

In order to take command of victims' PCs, a bot herder needs a reliable way of defeating the basic security provided by operating systems, browsers, and e-mail anti-virus scanners. That usually means relying on an "exploit pack" or some other crafted application exploit.
The modus operandi of most bot herders is to use Web links as the delivery method for their malware, sending out streams of spam to potential victims in the hope that someone will fall for their social engineering. One click leads to a webpage set up to drop a package of nastiness on them. There are ready-made exploit packs, loaded with code written specifically for the purpose of planting malware on victim's PCs that can be purchased and installed on a Web server or "rented" as a service.
Botnet builders can rent capacity on these services or outright buy them. A Phoenix exploit kit (like the one used to seed the recent Bamital botnet), can be purchased for $120, plus another $38 per month for patches and technical support, according to Goncharov. BlackHole, another market leader in exploits, offers its latest and greatest as a leased service for $50 a day, with extra fees for traffic overages. BlackHole also comes with an Oracle-like annual license for those who want to deploy on their own server. That costs $1,500 per year, with various add-on functionality fees.
Budget Botnet Shopper's Price: $120 for the kit, plus $38/month for support.

Crypters and dropper builders

The problem with just pushing a Zeus bot in its raw form out to targets through an exploit is that the Zeus bot is bound to be detected by antivirus software because of its signature. To prevent that, botnet-herders turn to "dropper" malware that disguises the bot trojan, delivering it in encrypted form to disguise the file signature of the trojan and its associated files.
Creating a "dropper" requires the services of a malware "crypter." Some are sold as straight software, with added services to see if the signatures of built droppers have been picked up by antivirus companies' databases. Others are sold purely as a service, with timer-based licenses, and may include the antivirus signature check as a built-in service.
There are even crypter services now available on the Web, delivered as a service. One such service offers dropper-building at the rate of $7 per "sample."
Another key to not getting caught is "antisandbox" code that detects if the malware has been dropped onto a sandboxed system or virtual machine—such as those used by digital forensics experts and security analysts. If the code detects that it's been deposited inside such a system, it can prevent the botnet trojan from being deployed and giving up the nature of the code it carries. Antisandbox code is a feature of some crypters.
Enlarge / Screenshots from a "crypter" kit from a forum advertisement—Antivirus database check included.
If you want to save some money—and aren't particularly concerned about whether your bot gets picked up after a while by antivirus scans—there are sites offering "cracked" crypter kits for free.
Enlarge / A blog offering "cracked" crypters and other hacker's helpers, freely downloadable.
Budget Botnet Shopper's Price: $20/month for crypter and accessory licenses.

Special delivery: Spam and social engineering services

But wait! You still have to deliver the exploit link to drop your botnet package on your unsuspecting (or possibly suspecting) victims. How do you get them to click on that link? The traditional route is by blasting semi-convincing spam messages and hoping people are dumb enough to click on a link in them to see a video, download a document, or reconfirm their PayPal information.
Enlarge / Email addresses for people interested in gardening, ready for spamming with that "tomato hookworm tips" phishing attack.
That typically means buying a spam blast, often from another botnet operator. Some spam-masters have moved their focus to social networks and charge not per message but per hit. You can spam out to social networks and over SMS with clickjack links using "borrowed" credentials or leave it to the professionals to do it for you for around a buck per thousand targets.
Enlarge / Facebook and Twitter spamming, powered by hundreds of prebuilt (or stolen) accounts, is available to you—check out our positive reviews from top spammers!
But that's the old-fashioned way. The new-fashioned way is to use "spear-phish" attacks that use social information about the target in some way that convinces them to click the link, either through a social network message in a compromised account or an e-mail that appears to be from a friend. If you want to make it even more convincing, you can always pay someone to hack a victim's e-mail address to get access their account and contacts. Then it's a simple as posing as the victim to fool all their friends.
Enlarge / Any webmail address hacked for you, payment afterward. Thanks, underground marketplace.
For beginners, spam remains the best bet. It can be used to hit a variety of potential targets and it's relatively cheap: cheap spamming services can run as little as $10 per 1 million e-mail addresses, with better services based on stolen customer databases running five to ten times as much.
Budget Botnet Shopper's Price: $50 for an initial blast to qualified addresses.

Economies of scale

Using our budget shopper prices, that adds up to about $576 for the first month of operation.
None of these purchases guarantee success, obviously, and it could take multiple spam attempts and help from other specialists to finally establish that botnet you've dreamed of. Even then, the payoffs are not necessarily that big. There's a glut of botnets already out there and botnet herders may be up against a short window before detection.
On the upside, it's an easy game to buy into—unlike the bigger, more enterprise-scale cyber-crime rings behind big corporate data breaches. While the whales of the cybercrime game may share some of the basic technology approaches with their smaller cousins, they have more in common with the intellectual property stealing "Advanced Persistent Threat" (APT) hackers alleged to be associated with the Chinese military (though they may surpass them in skill). Trend Micro Chief Technology Officer Raimund Genes said during the DC briefing that he thought the recent alleged Chinese APT attacks had been uncovered largely because they lacked the finesse of Eastern European cybercrime rings.
The bigger financial hacking organizations—which are a small number of organizations of hundreds or perhaps even thousands of people—operate in their own closed forums, sometimes on "darknets," where you can only gain access by being invited. While there's some use of botnets by the major cyber-crime rings, they tend to want to protect their investments in the more specialized, targeted attack tools they use. Botnet use is sparse in that space. "Once they get access to the environment," Percoco said, "they then deploy custom pieces of malware that are sometimes written from scratch, brand new, never been utilized before—and they plant them on specific systems within the environment."
As a result, the data breaches caused by these targeted hacks can go on for months, even years before being detected. A study released by Percoco's team at Trustwave in February found that the average targeted attack went more than 210 days before it was detected. And this detection was usually because of a customer complaint or notification by law enforcement or a payment processor, not because antivirus software detected the hack. At some companies, the hacks lasted more than three years without being detected, all while millions of credit card transactions and other data were being pumped back to the hackers.
Botnet operators generally go big or go home in their attacks. But the tools they use can just as easily be applied to the long game if they're used in a targeted fashion and they apply some of the lessons learned by the big-time hacking organizations. "Swiss Army knife" botnets and remote administration tools can be used as part of a poor man's APT by those who are willing to take the time to do the research and social engineering to get their malware in the right place. And just because Zeus and other botnets are a known threat doesn't mean they can't be used in stealth. According to the site ZeusTracker, the average detection rate for Zeus binaries by antivirus software is only 38 percent. And that's for known Zeus botnets.
So take heart, would-be botnetter. With the market saturated with tools, a community of several thousand known botnet operators, and new ways to profit emerging every day, your first botnet could bear a return on investment hundreds of times larger than what you put in. You don't need to know the first thing about coding. Though a lack of morality wouldn't hurt either.

No comments:

Post a Comment