The Coming Botnet Stock Exchange 105
Trailrunner7 writes "Robert Hansen, a security researcher and CEO of SecTheory, has been gleaning intelligence from professional attackers in recent months, having a series of off-the-record conversations with spammers and malicious hackers in an effort to gain insight into their tactics, mindset and motivation. 'He's not the type to hack randomly, he's only interested in targeted attacks with big payouts. Well, the more I thought about it the more I thought that this is a very solvable problem for bad guys. There are already other types of bad guys who do things like spam, steal credentials and DDoS. For that to work they need a botnet with thousands or millions of machines. The chances of a million machine botnet having compromised at least one machine within a target of interest is relatively high.' Hansen's solution to the hacker's problem provides a glimpse into a business model we might see in the not-too-distant future. It's an evolutionary version of the botnet-for-hire or malware-as-a-service model that's taken off in recent years. In Hansen's model, an attacker looking to infiltrate a specific network would not spend weeks throwing resources against machines in that network, looking for a weak spot and potentially raising the suspicion of the company's security team. Instead, he would contact a botmaster and give him a laundry list of the machines or IP addresses he's interested in compromising. If the botmaster already has his hooks into the network, the customer could then buy access directly into the network rather than spending his own time and resources trying to get in."
Re:Honeypot? (Score:3, Informative)
This particular problem already exists - and yet there are online exchanges to buy/swap/sell credit card information, bank account info etc. The risk is sold off - so if a guy has 1000 bank accounts (+pin + atm card number etc) with an average of $10,000 on each of them, he sells it to someone who will actually do the hard work at say $20 per account.
Your argument would be the same at the exchanges too... but they exist and thrive. So, a botnet selling cloud computing power is not far fetched.
Re:How to Pay? (Score:1, Informative)
This is one of those things you learn from RTFAing over the years. They use anonymizing proxies, just like they do for everything else: http://www.wired.com/science/discoveries/news/2006/12/72278
crime (Score:2, Informative)
I've been spending more and more time talking to blackhats lately. Frankly, I think they're fascinating people
They are criminals who steal from people. Fascinating people? How sick.
Glamorizing thieves and moral creeps is sending a wrong message especially to young people. If it were up to me I would lock this Robert Hansen into a jail together with his "blackhats" thieves and thrown away the key. This is where he and they belong.
Re:How to Pay? (Score:4, Informative)
That would require physical access to the botnet-master (risky) or knowledge of the physical whereabouts of said person (risky again).
No, I'd much rather set up a paypal account with a fake firm in Tonga, linked to another fake firm on the Cayman Isles. It's apparently impressively difficult to get any information out of Tonga regarding business owners, whatever their background. The same goes for the Cayman Isles. And you could always route it again through Tonga, for double fun. And you wouldn't even have to leave your house. And the best news: there are already providers for it. [offshore-p...sional.com]
Re:Be careful what you wish for. (Score:3, Informative)
Maybe you should read the Windows EULA?
Microsoft and its suppliers provide the Software and support services (if any) AS IS AND WITH ALL FAULTS, and hereby disclaim all other warranties and conditions, whether express, implied or statutory, including, but not limited to, any (if any) implied warranties, duties or conditions of merchantability, of fitness for a particular purpose, of reliability or availability, of accuracy or completeness of responses, of results, of workmanlike effort, of lack of viruses, and of lack of negligence, all with regard to the Software, and the provision of or failure to provide support or other services, information, software, and related content through the Software or otherwise arising out of the use of the Software. ALSO, THERE IS NO WARRANTY OR CONDITION OF TITLE, QUIET ENJOYMENT, QUIET POSSESSION, CORRESPONDENCE TO DESCRIPTION OR NON-INFRINGEMENT WITH REGARD TO THE SOFTWARE.