The Coming Botnet Stock Exchange 105
Trailrunner7 writes "Robert Hansen, a security researcher and CEO of SecTheory, has been gleaning intelligence from professional attackers in recent months, having a series of off-the-record conversations with spammers and malicious hackers in an effort to gain insight into their tactics, mindset and motivation. 'He's not the type to hack randomly, he's only interested in targeted attacks with big payouts. Well, the more I thought about it the more I thought that this is a very solvable problem for bad guys. There are already other types of bad guys who do things like spam, steal credentials and DDoS. For that to work they need a botnet with thousands or millions of machines. The chances of a million machine botnet having compromised at least one machine within a target of interest is relatively high.' Hansen's solution to the hacker's problem provides a glimpse into a business model we might see in the not-too-distant future. It's an evolutionary version of the botnet-for-hire or malware-as-a-service model that's taken off in recent years. In Hansen's model, an attacker looking to infiltrate a specific network would not spend weeks throwing resources against machines in that network, looking for a weak spot and potentially raising the suspicion of the company's security team. Instead, he would contact a botmaster and give him a laundry list of the machines or IP addresses he's interested in compromising. If the botmaster already has his hooks into the network, the customer could then buy access directly into the network rather than spending his own time and resources trying to get in."
Honeypot? (Score:4, Insightful)
Yeah, interesting concept but the fear would be that the botnet owner would respond by saying knock, knock, the FBI is here (substitute the agency you think applies if the FBI isn't your cup of tea).
If you do something yourself you know all the players. If you pay someone to do it you don't know if you are walking into a trap.
disclaimer: I'm not too worried about this as I don't plan on taking either route.
Bad title (Score:5, Insightful)
Another question. (Score:3, Insightful)
Yeah, whatever. If I was an evil cracker I'd be damn sure to randomly target machines so I could use them for my targeted attacks. And I'd want a lot of them so I could bounce the attack through them to make it more difficult to find me.
If anything, if this guy was such a great cracker/hacker, wouldn't he already know about the percentages? Cracking any single specific machine is difficult. Cracking any random machine in a specific block would be much easier.
Then you'd use that machine (those machines) to more easily target the specific machine.
Be careful what you wish for. (Score:4, Insightful)
And what happens to FOSS developers who accidentally leave a bug in their code?
Re:I can't believe we are still discussing this .. (Score:5, Insightful)
1. Windows / [insert other exploitable program here (ie. Flash/Adobe PDF reader)]
2. Stupid users
If your user downloads and runs malware, there's almost nothing your OS can do to stop it. The only way to stop it is to force application signing... but who really wants that?
So tell me, which OS would you choose that could stop all malware even with stupid users?
Re:Survey (Score:3, Insightful)
If there's a growing number of Vista and Win 7 machines then someone should
get back to MS and let them know whatever they're doing ain't working.
OS gains popularity, users on said OS want to see their dancing bunnies.
An operating system is only as secure as the user behind it. I'd guarentee most of the people around here could run a secure, stable Windows system AND be productive on it. But these are the same people who know to surf with adblock, noscript, a firewall and NOT go looking for dancing bunnies.
Re:Honeypot? (Score:5, Insightful)
If I am a security guy for some entity that I fear may contain compromised systems, and potentially be the target of more focused attacks, I can use this hypothetical "botnet stock exchange" to verify my suspicions. "So, I'm interested in buying access to hosts within OWN_IP_BLOCK, anybody have some?" If no, breath slightly easier. If yes, I now know which of my hosts need serious inspection and rebuilding.
Depending on exactly how the exchange is run, basic checks(ie. botnet or no botnet, not necessarily specific hosts) might well be cheap or even free. You don't have much of a market if people can't ask "Is anybody selling X?" and receive a useful answer. More specific answers would probably cost you, as would the services of the sorts of grey hats who work for white hats but can talk to black hats; but there are certainly circumstances where it could be cost effective.
Re:crime (Score:3, Insightful)
Be sure to lock up all those teachers who make children's plays based on Robin Hood.
Re:crime (Score:1, Insightful)
It is counter-productive for a security researcher to not be fascinated by these people. Your moralizing the issue only holds back any meaningful gathering of knowledge that can be used to mitigate the harm that blackhat hackers can cause to legitimate people. There is a time and place for us to objectively learn more about their culture, technology, and economy for our own well being.
Re:crime (Score:1, Insightful)
Probably a troll, but I'll bite.
1. Regardless of your knee-jerk reaction to being interested in how "bad people" think, they ARE fascinating, and often very fruitful to study.
2. Assuming you didn't RTFA, I don't see anywhere where he glamorizes black hats.
3. This is akin to a cop going undercover to find out how criminals operate, you think they should be tossed in jail too?
Security research REQUIRES you to think like the "bad guys", it just comes with the territory.
Why not use (Score:1, Insightful)
the comment field for your comment and the subject line for your subject?
Hansen's model? (Score:2, Insightful)
He's reposting word for word what happens on a daily basis and its his model? Is anyone else slightly confused by this?
Though TFA does at least mention "This model makes sense on a number of levels and may well have been implemented already."
Theres even underground exchanges between the various botnet holders to some extent. If botnet controller A does not have enough(or any) compromised machines related to a target in one of his customers shopping lists he'll go to botnet controller B, C, or d-z in order to find what he needs. Obviously they don't trust each other much but there is some level of cooperation.
Even targeted hacks will often try the same methods as used to spread botnets in the first place, if you're in that line of business and there are somewhat reliable sources of compromised machines out there that will get you what you need faster and thus a) reduce your own work load and headaches and b) end up with a happier customer for a prompt job completion. (aka they'll think you're the shit and come back again if they need something else, every business out there, legal or otherwise, needs return customers)
Come on, these guys are doing highly illegal, highly technical, very high problem solving ability oriented tasks for a living. You think they haven't been doing this for, oh, over a decade now? Thats about how dated my information is... I think its a safe bet to assume its still going on.
Re:Why not use a botnet (Score:1, Insightful)
Sadly the latency would make then uncompetitive against Wall Street. They already have bots doing trading. [nytimes.com]
Besides, do you seriously think you can out-crook the financial sector? These are people that can literally sell you nothing for a billion dollars and get away with it.
Re:crime (Score:3, Insightful)
a cop going undercover to find out how criminals operate
This is a cop, who has an official, documented undercover task, but this man is a civilian associating with criminals on his own will. It is his duty to report the crime in progress.
Otherwise any gang member could say: "I am a sociologist. I was studying the way murderers and thieves operate and think. This is why I was on the crime scene."
Probably you are lucky and were not a victim of these bot-nets and trojans' writers. But these are just about the same crime tools as picklock, gun, ax, etc. And these people are robbers, who just use some other tools.
Your fascination with them is unjustified. It is like a person, who likes to knit, would be fascinated by a criminal, who, say, strangle people by a cord.
One can well be a good talented programmer and not be fascinated by moral freaks, who use programming to commit crime.
Re:That's the shittiest business model EVER! (Score:1, Insightful)
SlappyBastard wrote:
That's absolute nonsense (unless you're going to use a definition of 'wealth' gamed to mean 'something created in arbitrage'). It's easily proved wrong by simple thought experiments. If I make a chair, I am wealthier by one chair. It doesn't matter whether or not anyone else is willing to pay for the chair. You may be able to argue that if I need something I can't make for myself that the financial system I have to rely on to get has arbitrage as an integral component. I might have to agree with that simply because barter of goods and professional services is taxable by the IRS, but the IRS will only accept money, not goods and services to pay the subsequent taxes.
Re:Survey (Score:2, Insightful)
The problem isn't Windows, it's users that are willing to run free-porn.exe that is linked in facebook/email/whatever.
Any operating system is only as secure as the user operating it.
A properly configured Windows 7 machine with a solid antivirus, firewall, and a user who paid attention during 15-20 minutes of information assurance training would be a real bitch to exploit.