Friday, June 26, 2009

Making Money with Your Own Stealthy Botnet - Part I

Over the last month or so I've had quite a few conversations with friends and former colleagues concerning what are the "cool" things you could do with your very own private botnet. Most of these conversations stem from them wanting to learn more about what I'm now doing - having joined Damballa a little while ago - and some of the nasty things criminals are doing with their botnets... which often deteriorates in to a "if I had a big botnet I'd..." type of discussion.

So, several ideas have been thrown around and I figured it would make an interesting series of blogs.

If I had a botnet...
"If I had a botnet..." is an interesting way of thinking about how criminal use of botnet may evolve over the next few years. While the news is full of stories and stats about monster botnets being built up and the volume of spam they're capable of pumping out, those are actually the boring ones (from a threat perspective) - and probably the least efficient use of a botnet. If your intent is to make money from a botnet, then using it for spam is effectively chump-change.

So, "if I had a botnet... how would I make real money from it?" - that's the killer question, and the one I'm going to explore.

1. The Custom Advertiser
Lets assume that I have a medium-sized botnet of some 50,000 victim hosts - most of which are home PC's on local DSL networks. Since acquiring (or reacquiring) those victims is a raw cost to me, anything I do with my botnet needs to be subtle and go undetected for as long as possible.

The users of the bot-infected computer, like most of the Internet-browsing planet, are constantly surfing sites plastered with advertising. Since my bot-agent is running on their host and is capable of both hooking the TCP/IP stack (i.e. man-in-the-middle) and operating within the browser (i.e. man-in-the-browser), I can intercept, view and edit any Web content before it gets rendered within the browser.

Since advertising seems to be a profitable route, why not replace those ads with ads of my own choosing? It's simple to do - in fact it's damned-near trivial. It's not even a new idea - some major ISP's around the world have toyed with doing similar things in the past (if not actually doing it today).

Armed with this capability to replace advertising (such as anything from etc.) a handful of business opportunities suddenly appear:
  1. Strike up a deal with a particular organization and offer to plaster their ads on to every page 50,000 people view for an entire day.
  2. Modify the code surrounding the legitimate advertisement such that if the user click on it they'll be taken to a different site. This could even be keyword based - for example, any legitimate ads for drugs and health care products get redirected to Canada Online Pharmacy. Think in terms of Phorm for ad replacement.
  3. Replace the advertising with my own ads that are actually just redirects/proxies to ads being served from sites I already control. That way I'm serving legitimate ads, but any click-throughs are being associated with my Web site rather than the site the user was actually on.
  4. Screw around with a company I don't like. Since most managed online advertising campaigns are supposed to be targeted against a specific audience - and they pay through the nose for each click-through. I could plaster their advertising everywhere such that they exhaust their daily online budget really fast and miss their target audience.
I'm sure the list of opportunities could go on and on, but lets look at the feasibility of these replacement scams for making money.
  1. I think it would be a struggle to entice a legitimate/mainstream company to use my advertising services, so I'd be stuck selling to some company comfortable operating in the gray areas of the Internet. This means I'm not going to be able to attract top dollar for the advertising - so maybe I can only charge $2-5k per day. I'm also going to have to be careful of serving up too much of the same advertising to the same people and having them suspect something isn't quite right with their PC and asking questions that could reveal what I'm up to.
  2. I'd likely have to deal with the same kinds of gray companies as for (1), but I could probably make more money. I'd be expecting the same daily rate of return on the advertisement placements (e.g. $2-5k), but I could probably also get a cut of any subsequent sales (e.g. like the way pharma-scam franchises currently work).
  3. This could potentially yield me the most money. It'll be a little unpredictable, and I'd have to be careful not to be detected by the real advertising company (e.g. Google has some pretty sophisticated means for spotting click-fraud, and might catch this vector - but I could do some other magic such as modifying the victims REFERER fields to fake the source of their click). The advantage with this is that I could set it up all online and never actually have to speak with anyone... and I'd get cheques in the mail each month.
  4. I don't think I'd actually make any money out of this unless I approached a competitor to the business being targeted. I might be able to get a few hundred dollars a day, but I'd end up having to explain how the scam works to them - which would shorten the viable life of the scam.
What do you think? Are there some better money-making business opportunities focused around replacing advertising inside the Web browser?

Look out for the next installment of Making Money with Your Own Stealthy Botnet...

No comments:

Post a Comment