DeepSight™ Technical Intelligence

Renting a Zombie Farm: Botnets and the Hacker Economy 

08-08-2014 03:31 PM

zombies.jpgMost people assume zombies are only fiction reserved for B movies and popular televisions shows. While true in the physical world, this is not the case for our digital lives. 

A robot network (or “botnet”) consists of a group of “zombie” computers, compromised by malware, which can be controlled by a bot master’s server to perform nefarious tasks. Computers are originally infected via phishing emails, malicious attachments, Exploit Kits, or by hiding scripts on websites which install malware on the user’s machine.

Botnets can be used for many purposes by the bot master who has remote control over them, including:

  • Use as a “spambot” (using SMTP mail relays to send spam)
  • Participation in a distributed denial-of-service (DDoS) attack on a website
  • Serving ads to users of infected machines (as was the case with the now-defunct Bamital botnet)
  • Collecting personal information on the users of the zombie machines
  • Click fraud against online advertisers. The botnet code forces advertisers to pay for illegitimate clicks from the zombie machines (as was the case with the Chameleon botnet)
  • As an Internet proxy server for a cybercriminal (as was the case with the TDSS Botnet)
  • Use of the compromised machines’ processing power to mine Bitcoins (digital currency)

What’s even more interesting than the botnet’s function are the economics behind how a bot master makes their money. Simply put, they use their infrastructure to offer services to other cybercriminals. Similar to Amazon Web Services renting cloud capacity to any number of applications, a bot master will often lease their bot out to subsequently commit other cybercrimes. This means individuals with little or no skill in creating a botnet can rent one capable of crippling a major website with a DDoS attack for a little as $100-200 USD per day. For more passive attacks such as acting as a spambot or proxy, botnets can also be rented for only about $500 USD per month depending on the amount of bandwidth needed.

Would-be bot masters willing to invest the time and energy to save some money can pay even less, downloading a DIY botnet creation kit for less than $20 USD to create their own botnet. These kits are merely the base code for the server bot, meaning the client must still be built, configured, and spread by the builder. Once built however, the entire bot can be resold for a much higher price or used by the builder however they wish. Many new, home-grown bots are peer-to-peer (P2P) bots, which have no Command & Control (C&C) server to register with can be more challenging to locate and take down due to their decentralized nature.

Many botnets are sniffed out and snuffed out quickly, which can affect both the reputation of the bot master or builder, and the income potential of the botnet. In much the same way as any other service industries, review sites exist which compare and contrast the effectiveness of botnets and their bot masters. A poor reputation for either can have serious financial impact.

So how can IT administrators combat machines under their control from becoming bots? Besides a healthy level of vigilance regarding what your users download (and allow to be downloaded on the network), there are two important ways of combating attacks. Run regular scans on the network, making note of any machines which aren’t up-to-date on patches or which contain malware. Symantec provides many tools which can help automate this task.


  • Symantec recommends customers use a layered approach to securing their environment, utilizing the latest Symantec technologies, including enterprise-wide security monitoring from Edge to Endpoint.
  • Symantec recommends that all customers follow IT security best practices.  These will help mitigate the initial infection vectors used by most malware, as well as prevent or slow the spread of secondary infections.
  • Minimum Recommended Best Practices Include:
    • Use/Require strong user passwords (8-16+ alphanumeric characters, with at least 1 capital letter, and at least 1 special character)
    • Disable default user accounts
    • Educate users to avoid following links to untrusted sites
    • Always execute browsing software with least privileges possible 
    • Turn on Data Execution Prevention (DEP) for systems that support it
    • Maintain a regular patch and update cycle for operating systems and installed software
  • Deploy network intrusion detection/prevention systems to monitor network traffic for malicious activity. 
  • For technologies not monitored/managed by Managed Security Services, ensure all signatures are up to date, including endpoint technologies.
  • Ensure all operating systems and public facing machines have the latest versions and security patches, and antivirus software and definitions up to date.
  • Ensure systems have a running firewall, unnecessary ports are closed/blocked, and unused services are disabled.
  • To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.
  • Do not follow links or open email attachments provided by unknown or untrusted sources.
  • Ensure staff is educated on Social Engineering and Phishing techniques.

However, even more promising might be efforts to cut the so call “head” off a botnet by taking down the command and control server run by the bot master. Symantec has worked with law enforcement to combine our technical intelligence about some of the highest profile bots operation on the internet today with the ability of law enforcement to seize the hosting servers to take them down. Most recently, we worked to take down a major click fraud botnet known as Bamital. You can learn more about that effort here.

0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.