Buying botnets: Underground network marks ominous 'milestone'

By Ron Condon, U.K. Bureau Chief 23 Jun 2009 | SearchSecurity.co.uk

Digg This!     StumbleUpon     Del.icio.us

Security researchers develop browser-based darknet Called Veiled, the darknet only requires participants to use an HTML 5-based browser to connect and share data anonymously.

The Golden Cash network operates by recruiting members around the world, providing them with powerful malware toolkits, and paying them a bounty for every PC they can compromise.

Having acquired the infected machines, the group then hires them out at a hefty markup to anyone who wants to use them or plant their own malware on them.

Its origins are still uncertain – though most evidence points to it being based in Russia – and the individuals behind it are unknown. What is certain is that it poses a major threat to all PCs, whether at home or in companies, in the public or private sector.

Full details are presented in Finjan's latest Cybercrime Intelligence Report. "The Golden Cash network is far more than an average affiliation network operated by cybercriminals," it says. "Our research showed that there is something really major behind this one – an entire trading platform of malware infected PCs. It also provides an exploit toolkit with obfuscated code and an attack toolkit to distribute malware."

How Golden Cash works 1. Victim visits a legitimate but compromised website.   2. The compromised website contains a malicious IFrame, causing the victim's browser to pull exploit code from the attacker website that is armed with the exploit toolkit.   3. Upon successful exploitation, a special version of a Trojan, which was especially created for the attacker, is pulled from the Golden Cash server.   4. Once installed, the Trojan reports back to the Golden Cash server, and the attacker's account at Golden Cash is credited with payment for the job done.   5. The first instruction sent by Golden Cash to the victim's machine, is to install an FTP grabber to steal FTP credentials. The victim's machine is now in a pool of infected machines controlled by Golden Cash.    6. The infected machines are offered to other cybercriminals using a dedicated website.  Selling price depends on the location of the infected machines.   7. After purchase, the victim's machine gets instructions from the buyer to install additional malware on his/her behalf.   8. The Trojan on the victim's machine reports back to Golden Cash on successful installation of the buyer's malware.   9. The buyer's account is charged by Golden Cash for the service rendered. The victim's machine goes back in the 'available for more infections' pool for more purchases.

Those running the site act both as buyer and seller of compromised PCs. They will buy malware-infected machines from anyone anywhere in the market, and according to their published price list, will pay $100 per 1,000 infections in Australia but only $5 for a batch of 1,000 infections in other countries, mainly in the Far East. British bots are worth $60 per 1000.

When it comes to selling, prices are considerably higher. Infected Australian PCs go at $500 per 1000, while their British counterparts cost $250. If you want something cheaper, then pay $120 per 1000 U.S. machines, or just $20 for a batch of 1000 Japanese machines.

Golden Cash provides its customers with all the tools they need to go out and infect computers, plus a simple means of getting paid for their efforts. The attack begins with an injection of IFrames into a legitimate website, which redirects users to a malicious website containing an exploit toolkit that infects other visitors.

One such toolkit detailed in the report makes use of obfuscated code, which is designed to get past traditional anti-malware defences and exploit an unpatched vulnerability.

Some of the malware discovered was also designed to collect FTP credentials of legitimate websites from infected PCs. 'These credentials are later being used to enable its partners to insert their IFrames with malicious code into the websites' pages. This creates a highly profitable loop," Finjan's research concludes.

The report adds that researchers found stolen FTP-credentials for around 100,000 Internet domains, including corporate domains from all parts of the world.

Ophir Shalitin, Finjan's marketing manager, described the discovery of Golden Cash as a "milestone, because it automates the cybercrime process. It really lowers the barrier for new cybercriminals. It makes it easy for them. It is a one-stop shop."

Howard Schmidt, president of the Information Security Forum, a user group representing more than 300 large corporations, said the development was symptomatic of a general arms race between the criminal and the security industry.

He said technology alone would never be able to prevent users from acting irresponsibly and getting infected, but it can help. "There will always be people who will say 'Continue' because they want to go ahead despite any warning," he said. "But look at how phishing emails have developed. You have to work really hard to be a victim of a phishing email these days, because of filters that have been built into browsers and email systems. We need to do the same kind of thing at the Web server to prevent infection, although that is a lot more difficult."

Tags: Threat and Vulnerability Management,  Endpoint and NAC Protection,  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Threat and Vulnerability Management Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection Microsoft's Charney details new botnet protection, IdM technology at RSA Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Cloud security issues, targeted attacks to be hot-button topics at RSA Zeus Trojan continues reign infecting 74,000 PCs in global botnet How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse The value of booting from a VHD in Windows 7 What to do with network penetration test results Endpoint and NAC Protection Considering two-factor authentication? Do cost, risk analysis Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Voice data security risks on the rise, say experts The value of booting from a VHD in Windows 7 Thin-client technologies surge thanks to easier security, says Deloitte A closer look at Internet Explorer 8 security features USB drive security best practices and processes First step in forensics: Create a bootable Windows environment CD Protecting enterprise networks from new mobile application downloads Four things to remember about server virtualization security concerns Web Application Security CISOs take measured steps to reduce social media risks Google to pay for Chrome browser vulnerabilities Facebook, McAfee partner to fix social network security issues PDF attack code complicates security analysis, skirts detection Annual security reports offer some hope Firefox, Opera, Safari browsers top list of high risk software Active PDF attacks target Reader, Acrobat zero-day vulnerability Using unique device identification for bank website security Avoid common Web application firewall configuration errors Microsoft gives Internet Explorer a major security overhaul

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary