Malicious hackers and other assorted bad guys looking for new tools for plying their trade this upcoming holiday season will have plenty of toys and services to choose from.
Servicing them is a growing underground market bristling with botnets, Trojans, rootkits, spyware and all sorts of shady services aimed at everybody from the humble do-it-yourself hacker to sophisticated, organized criminal gangs.
"Just like there is a B2B marketplace, now there's a C2C -- criminal-to-criminal -- market," said Don Jackson, security researcher with Atlanta-based security vendor SecureWorks.
And just like their more legitimate commercial counterparts, the operatives in this shadow economy operate on a free market principle, replete with concepts such as volume discounts, customer loyalty programs and referral services, added Makshym Schipka, senior architect for security vendor MessageLabs. "It's not just organized crime that is behind a lot of modern threats" on the Internet, said Schipka.
A lot of the activity is shifting more to a thriving open-market model filled with multiple criminal enterprises and individuals offering a whole portfolio of tools and services that are often just a Google click or two away from those who seek them.
"People are becoming more specialized in delivering goods and services in this market," he said. "You can either buy the things you want, or sell the things you made" with considerable impunity, he said. Just as there's a High Street for legitimate businesses, there's one for online criminals as well, said the London-based Schipka.
Here, according to Jackson and Schipka, are some the items likely to be in high demand by hackers shopping in this underground marketplace this coming holiday season:
- Build A Storm Botnet: This new and uniquely crafted malware tool has been designed with the really high-end hacker in mind and is likely to be one of the hottest items this season, according to Jackson. For prices starting at US$100,000, spammers and other malicious attackers can now buy their very own Storm botnet, complete with fast flux DNS and hosting capabilities. Making it possible is a smart new 40-byte encryption feature supported on the latest Storm variants that hackers can basically use to segment compromised machines into their own little Storm botnets.
"Think of this as an FAO Schwarz kind of item," Jackson says. "Rather than leasing a botnet service and paying bot by bot for a good e-mail run or iFrame blast, you can pay for it all at once and have your own little Storm botnet ," Jackson said. The people who would buy such services are those who have already made their loot using leased services and are looking to start owning infrastructure, he said.
- Rent-A-Bot services: Who needs to buy a botnet when you can lease a perfectly good one by the hour at a fraction of the price? Available in abundance this season, such botnet services are designed to let average spammers deliver a gazillion copies of their malware without them having to invest in the infrastructure needed to do so, Schipka said. For as little as US$100 to US$200 per hour, spammers can get access to a fully functional botnet capable of delivering the finest image spam and body part enhancement ads to millions at the click of a button, he said.
And such rent-a-bots aren't just for spammers anymore, Jackson said. What makes these versatile services so broadly appealing to bad guys is that they can be easily adapted to deliver the malware of choice or to launch distributed denial of service (DDOS) attacks against extortion targets. One example is the BlackEnergy botnet, which can be used to launch DDOS attacks against specific targets for about US$80 per hour, according to Jackson. For those not willing to spend even that much, low-cost options starting at US$10 per hour for one million bots are readily available for conveniently distributing smaller spam loads and malware.
All an enterprising hacker needs to take advantage of such services is a plan, Schipka said. "You would need to figure out your business model and draw up a business plan," he said. "If you were renting a bot for three hours at a US$100 per hour to deliver spam it means you need to make more than that to benefit from the use of the service." If it's some other sort of malware being seeded via a botnet -- such as a keylogger or Trojan -- the cost of purchasing the code would have to be included as well, Schipka he said. "...They'd need to be looking for a botnet with the highest quality and the lowest amount of money."