Botnets: Hi-tech crime in the UK

Statistics show the enormous amount of spam being sent via botnets in many different nations.
The billions shown in the graph below are likely to be a fraction of the total.

Top spam-spewing countries

Select country to highlight data

Click and drag in the chart to zoom in


Botnets are more than a nuisance, they are also a business. A very big business.

The millions of machines in these global networks are the powerhouse of the net's underground economy. Industries have sprung up dedicated to creating them and keeping them running.

But how do you make money from a botnet? Let us count the ways.

Kit bashing

The first way is at the creation phase because writing viruses that can compromise a PC is hard.

Many hi-tech crime gangs sell kits that automate the process of sending out viruses, infecting machines and forming them into a discrete botnet.

Spam in email inbox Response rates are low for spam but still enough for scammers to cash in

The Zeus kit is one of the most well-known of these and, when first released, cost a few thousand dollars in its basic form. The price climbed if customers bought modules to target specific technologies, such as Firefox forms, or other extras such as making an accompanying virus mutate every time it infected a new host.

For their money, buyers got regular updates and a technical support number to call. They also got a comprehensive tool to control all the PCs they ensnared.

The management console for the kit let botnet controllers interrogate the many machines they had taken over. Significantly, help files for these kits are typically written in English and Russian.

The Zeus kit was a big seller. At its height computers infected with the Zeus trojan were found in almost 200 countries and more than three million machines were infected with it.

In October 2010, 90 people were arrested in the US for being money mules who siphoned off funds stolen via Zeus. The FBI estimates that the criminals running the mules had stolen about $70m.

Buying big

But if a kit is too technically challenging there are other ways to get hold of a botnet, said Jacques Erasmus, a senior security researcher at Webroot.

"You pay and they basically infect people for you," he said. Prices vary depending on which countries you want your victims to be based in.

Credit cards in wallet Criminals get more for the cards they steal if they have all the numbers on them

"Thailand and India are cheap," he said. "Western Europe and the US are much more expensive as they are more likely to have banking services and credit cards, and those boxes are sure to be of more value."

Setting up a botnet of 30,000 victims this way would cost about $5,000 to set up, said Mr Erasmus.

That outlay is dwarfed by the potential return from unfettered access to a household's PC. That will be sizeable as 68% of home net users buy online and 55% bank online, according to statistics from the ONS. One problem botnet controllers face is the time it can take to plough through the long list of credit card numbers and bank accounts they suddenly have access to.

Those stolen cards and accounts can be plundered but the big risk for the average cyberthief is laundering the cash. They can contract out this stage but can lose up to 40% of the money stolen in fees to the laundering organisation. They also might get ripped off and lose everything.

It can be safer to sell lists of credit card numbers online, especially if the expiry date, CVV codes and other identifiers are included. Prices per card have dropped because so many have been stolen. A card with credit on it and the identifying details can fetch about $90 (£57). However, the vast majority of cards go for a few dollars each.

Bank account details are much more saleable and those with cash in them can fetch hundreds of dollars.

The best way to cash in with a botnet involves harnessing the computational horsepower of all those compromised boxes.

Veteran botnet dismantler Tillmann Werner from Kaspersky Labs said: "Spamming is usually the main purpose, but they typically get up to everything that pays."

Stock market listing Spam can be used to profit via stock market prices

Mr Werner was instrumental in shutting down the Hilux/Kelihos botnet that was used for everything from spam, pump and dump stock scams and attacks on websites.

"They did some denial of service attacks with the botnet," said Mr Werner. "They attacked some politically active sites in Russia.

"It's hard for me to imagine they were politically active themselves so they probably got paid for that."

Rental fees

One big moneymaker is spam. About 88% of the billions of junk mail messages sent every day are piped through botnets. Spammers will pay to have that email sent and an insight into how much they will pay came when security researcher Brett Stone-Gross and colleagues managed to penetrate the Cutwail botnet.

The many millions of machines in Cutwail, aka Pushdo, spewed out vast amounts of spam. At its height it was estimated to be behind almost half of all global spam.

Their research showed that spammers were paying $100-$500 for every million messages sent. Alternatively, spammers could pay a lump sum of $10,000 if they wanted to send millions of messages over a period of a month.

The return soon added up and the researchers estimated that Cutwail's controllers could have made up to $4.2m profit in a little over 12 months.

Hi-tech crime terms

  • Bot - one of the individual computers in a botnet; bots are also called drones or zombies
  • Botnet - a network of hijacked home computers, typically controlled by a criminal gang
  • Malware - an abbreviation for malicious software ie a virus, trojan or worm that infects a PC
  • DDoS (Distributed Denial of Service) - an attack that knocks out a computer by overwhelming it with data; thousands of PCs can take part, hence the "distributed"
  • Drive-by download - a virus or trojan that starts to install as soon as a user visits a particular website
  • IP address - the numerical identifier every machine connected to the net needs to ensure data goes to the right place

Increasingly, botnet controllers are using their compromised boxes to carry out novel types of crime that are unique to the net.

In this category, click fraud is a booming business. Many websites get paid when visitors click on the ads that firms such as Google, Yahoo and others use to populate their pages.

Mr Erasmus said many botnets now included code that sprang into life when the real owner of that PC ventured onto the web.

As they browse, this code injects fake clicks on ads into the datastream to hide what is going on. The fake clicks make it look like certain ads are really popular and the owner of that site gets paid for the traffic they are supposedly piping to them.

"If it's active when the user is browsing it's pretty hard to detect," he said.

In recent months Google has moved to block access to certain sites known to be involved in this type of fraud. It can also be used to "poison" the index of results Google serves up to particular queries. This makes booby-trapped webpages rise to the top of the listings and means lots more people fall victim.

In November 2011 the FBI mounted raids in Estonia to snap up members of a gang that were practising a very sophisticated version of this sort of click fraud.

The gang had set up front companies running their own websites to make the fraud look less criminal. About four million computers around the world were enrolled in the botnet behind the scheme and it proved hugely lucrative.

The FBI estimates that the gang behind this botnet scam raked in more than $14m before they were caught.

The BBC would like to extend its thanks to Prof Michel Van Eeten, Prof Johannes Bauer, Hadi Asghari and Shirin Tabatabaie for providing the data for this project.

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features & Analysis

  • Dr Mahinder Watsa Dr Sex

    The wisecracking 90-year-old whose advice column is a cult hit


  • Payton McKinnonKilling heat

    Why so many American children die in hot cars


  • Satellite image of debris fieldForensic challenges

    Contamination and tampering could hamper MH17 investigation


  • A tunnel dug by HamasGaza's underworld

    How Hamas spawned network of 'Viet Cong' tunnels


Elsewhere on the BBC

  • SleepSleep on it

    Is it possible to strengthen your brain's synapses while you slumber?

Programmes

  • (File photo) Usain BoltClick Watch

    Challenging the world's fastest man to a virtual race over 40m – can you keep up?

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.