Tuesday, October 30, 2007

Botnet on Demand Service

Once this "rent a botnet" or "botnet on demand" service depending on the perspective made it in the mainstream press, they switched locations, but I'm sure they'll continue to advertise themselves given the potential for such a service. The first screenshot provides the "botnet inventory", as you can see the botnet has a total 35015 infected hosts, but with only 2342 of them online when I last checked. On a per rate of 252 infected hosts for the last two hours, and with 5279 for the last 24, their only problem is to have the malware actually respond, and "phone back home".

From another perspective, "rent a botnet" is a bit different as a service concept next to "botnet on demand" where this service is a combination of the two of these. Rent a botnet means there's an already available inventory, that is they're aware of the exact number of infected hosts they have, and are capable of meeting the demand until their supply gets depleted, which is where "botnet on demand" comes into play. Botnet on demand, like the entire "on demand" concept, doesn't build inventory of infected hosts and sit on them waiting for someone to require them. Instead, infected hosts get "infected" as requested, another indication of their understanding of what malicious economies of scale is all about - anticipating the success of exploiting outdated client side vulnerabilities on a large scale.

What about the prices? Differentiated pricing on a per country is an interesting pricing approach, for instance, 1000 infected hosts in Germany are available for $220, and 1000 infected hosts in the U.S go for half the price $110. It doesn't really feel very comfortable knowing someone's bargaining with your bandwidth and clean IP reputation, does it? What's worth discussing is the fact that the service isn't marketed as a DIY DDoS service, but as a simple acccess to a botnet one, where the possibilities for abuse are well known to everyone reading here. Spamming and phishing mailings, hosting and distribution of malware using the rented infrastructure, OSINT through botnets, corporate espionage through botnets, pretty much all the ugly practices you can think of.

If the service was a "rent a botnet" it could have increased its chances of having something to do with Storm Worm's "divide and conquer" approach of segmenting the botnet into smaller ones, since Storm Worm is the biggest inventory of infected hosts currently available online. But since they offer the "on demand" feature, thereby indicating they're surveying the demand for the service itself before putting more efforts into building the inventory, I doubt it's Storm Worm related.