The Coming Botnet Stock Exchange 105
Trailrunner7 writes "Robert Hansen, a security researcher and CEO of SecTheory, has been gleaning intelligence from professional attackers in recent months, having a series of off-the-record conversations with spammers and malicious hackers in an effort to gain insight into their tactics, mindset and motivation. 'He's not the type to hack randomly, he's only interested in targeted attacks with big payouts. Well, the more I thought about it the more I thought that this is a very solvable problem for bad guys. There are already other types of bad guys who do things like spam, steal credentials and DDoS. For that to work they need a botnet with thousands or millions of machines. The chances of a million machine botnet having compromised at least one machine within a target of interest is relatively high.' Hansen's solution to the hacker's problem provides a glimpse into a business model we might see in the not-too-distant future. It's an evolutionary version of the botnet-for-hire or malware-as-a-service model that's taken off in recent years. In Hansen's model, an attacker looking to infiltrate a specific network would not spend weeks throwing resources against machines in that network, looking for a weak spot and potentially raising the suspicion of the company's security team. Instead, he would contact a botmaster and give him a laundry list of the machines or IP addresses he's interested in compromising. If the botmaster already has his hooks into the network, the customer could then buy access directly into the network rather than spending his own time and resources trying to get in."
Honeypot? (Score:4, Insightful)
Yeah, interesting concept but the fear would be that the botnet owner would respond by saying knock, knock, the FBI is here (substitute the agency you think applies if the FBI isn't your cup of tea).
If you do something yourself you know all the players. If you pay someone to do it you don't know if you are walking into a trap.
disclaimer: I'm not too worried about this as I don't plan on taking either route.
Re:Honeypot? (Score:4, Interesting)
"Uh, I don't trust you but I want to search your botnet. Strictly for research purposes."
"I'm trustworthy. I control such-and-such handle over at such-and-such forum. I'm going to post '(some message)' in 5 minutes -- that proves it. But my botnet is expensive. Can you pay?"
"Yeah, here's a paypal gift to prove I have funds."
"Ok, I'm listening. What do you want?"
(And the negotiation goes on from there.)
This is an Apple-like vertical integration of services (but for botnets). The same guy who has "owned" the hardware offers "other services" on his "platform." I couldn't keep a straight face as I typed that.
I don't really think this is a "stock exchange."
Re: (Score:2)
this has been done for years, it's just not money that changes hands it's other hacked accounts/access/etc, irc is where i saw it, i'm sure there are other venues as well.
Re: (Score:3, Informative)
This particular problem already exists - and yet there are online exchanges to buy/swap/sell credit card information, bank account info etc. The risk is sold off - so if a guy has 1000 bank accounts (+pin + atm card number etc) with an average of $10,000 on each of them, he sells it to someone who will actually do the hard work at say $20 per account.
Your argument would be the same at the exchanges too... but they exist and thrive. So, a botnet selling cloud computing power is not far fetched.
Re:Honeypot? (Score:5, Insightful)
If I am a security guy for some entity that I fear may contain compromised systems, and potentially be the target of more focused attacks, I can use this hypothetical "botnet stock exchange" to verify my suspicions. "So, I'm interested in buying access to hosts within OWN_IP_BLOCK, anybody have some?" If no, breath slightly easier. If yes, I now know which of my hosts need serious inspection and rebuilding.
Depending on exactly how the exchange is run, basic checks(ie. botnet or no botnet, not necessarily specific hosts) might well be cheap or even free. You don't have much of a market if people can't ask "Is anybody selling X?" and receive a useful answer. More specific answers would probably cost you, as would the services of the sorts of grey hats who work for white hats but can talk to black hats; but there are certainly circumstances where it could be cost effective.
Re: (Score:1)
Can this be mitigated? Is it realistic? Will you know how it was compromised?
A primary means black hats use to measure trust for purchases is repeat sales to the same buyer (for differing needs) and maybe some illegal activity e.g. paid via illegal means (to filter out anyone that is constrained to only legal means). Passing those tests is difficult (although possible by professional white-hat-consultants, however white h
Bad title (Score:5, Insightful)
Re:Bad title (Score:4, Funny)
Re:Bad title (Score:5, Funny)
Both involve trusting your money to less than scrupulous people to do all the work for you in hopes that you'll get back more than you put in with no rational reason to back up this hope.
Actually I take that back. The hackers will at least worry about their reputation.
Re:Bad title (Score:5, Funny)
Just wait. In a few years, they'll be applying for a bailout, too.
Re: (Score:2, Funny)
Re: (Score:1, Interesting)
Re: (Score:1)
Real Stock Exchange:
As best as I understand it that is pretty close to how real stock exchanges work. You don't necessarily sell shares just by saying you want to, someone else has to be prepared to buy them at the price you're asking. Nor can you buy them without someone offering to sell. The stock exchange keeps tracks of these offers and provides a mechanism to resolve them (OK, so there are stock brokers involved too, but this basic concept is how it works).
Botnet/Compromised Host Stock Exchange
Re: (Score:2)
This: Hackers sell access to compromised computers.
This is more like your typical shady arms dealer than a stock market. Heck, this is even more like your local 7-11 than it is like a stock market - you buy computers rather than milk and cigarettes.
Robert Hansen has access (Score:2, Interesting)
Is SecTheory a harbor for these malicious users? Why does Hansen have such deep contacts?
Another question. (Score:3, Insightful)
Yeah, whatever. If I was an evil cracker I'd be damn sure to randomly target machines so I could use them for my targeted attacks. And I'd want a lot of them so I could bounce the attack through them to make it more difficult to find me.
If anything, if this guy was such a great cracker/hacker, wouldn't he already know about the percentages? Cracking any single specific machine is difficult. Cracking any random mach
Re: (Score:1)
How to Pay? (Score:5, Funny)
Re: (Score:1)
Obviously those leave traces all over the place, cash only.
Re: (Score:2)
Re: (Score:1, Informative)
This is one of those things you learn from RTFAing over the years. They use anonymizing proxies, just like they do for everything else: http://www.wired.com/science/discoveries/news/2006/12/72278
Re:How to Pay? (Score:5, Funny)
I can hook you up with an acquaintance in Nigeria that's very good with money transfers aquaintenance, let me know.
Re: (Score:1)
Re: (Score:1)
It was changed to "Xena" for the actual film.
Re: (Score:1)
Re:How to Pay? (Score:4, Informative)
That would require physical access to the botnet-master (risky) or knowledge of the physical whereabouts of said person (risky again).
No, I'd much rather set up a paypal account with a fake firm in Tonga, linked to another fake firm on the Cayman Isles. It's apparently impressively difficult to get any information out of Tonga regarding business owners, whatever their background. The same goes for the Cayman Isles. And you could always route it again through Tonga, for double fun. And you wouldn't even have to leave your house. And the best news: there are already providers for it. [offshore-p...sional.com]
Re: (Score:1)
buzzword bingo (Score:2)
Survey (Score:1)
Can somebody do a survey of all of these infected machines and check what OS
version they're running?
If there's a growing number of Vista and Win 7 machines then someone should
get back to MS and let them know whatever they're doing ain't working.
With all of these security initiatives I'd have thought botnets would have been a shrinking
problem - not something that was a growth industry as this article seems to indicate.
Re: (Score:3, Insightful)
If there's a growing number of Vista and Win 7 machines then someone should
get back to MS and let them know whatever they're doing ain't working.
OS gains popularity, users on said OS want to see their dancing bunnies.
An operating system is only as secure as the user behind it. I'd guarentee most of the people around here could run a secure, stable Windows system AND be productive on it. But these are the same people who know to surf with adblock, noscript, a firewall and NOT go looking for dancing bunnies
Re: (Score:2, Insightful)
The problem isn't Windows, it's users that are willing to run free-porn.exe that is linked in facebook/email/whatever.
Any operating system is only as secure as the user operating it.
A properly configured Windows 7 machine with a solid antivirus, firewall, and a user who paid attention during 15-20 minutes of information assurance training would be a real bitch to exploit.
Why not use a botnet (Score:1, Interesting)
Why not use (Score:1, Insightful)
the comment field for your comment and the subject line for your subject?
Re: (Score:1)
My guess is that the organized cartels are already doing this.
Except that the second you cash out and it is discovered that the stock was inflated by 100,000 hacked e-trade accounts, you are the number one suspect.
Re: (Score:1, Insightful)
Sadly the latency would make then uncompetitive against Wall Street. They already have bots doing trading. [nytimes.com]
Besides, do you seriously think you can out-crook the financial sector? These are people that can literally sell you nothing for a billion dollars and get away with it.
Re: (Score:2, Interesting)
Penny stocks? Bah! (Score:2)
It's already being done on fractions of a cent in arbitrage between the closes and opens of various stock and currency markets. All legitimate trades, mind you.
Go back and look at the Societe Generale incident from 2008. And that guy was just working with Excel macros!!
crime (Score:2, Informative)
I've been spending more and more time talking to blackhats lately. Frankly, I think they're fascinating people
They are criminals who steal from people. Fascinating people? How sick.
Glamorizing thieves and moral creeps is sending a wrong message especially to young people. If it were up to me I would lock this Robert Hansen into a jail together with his "blackhats" thieves and thrown away the key. This is where he and they belong.
Re: (Score:2)
"Mister Spock, you misunderstand us. We can be against him and admire him all at the same time."
"Illogical."
"Totally."
--Space Seed
Re: (Score:3, Insightful)
Be sure to lock up all those teachers who make children's plays based on Robin Hood.
Re: (Score:1, Insightful)
It is counter-productive for a security researcher to not be fascinated by these people. Your moralizing the issue only holds back any meaningful gathering of knowledge that can be used to mitigate the harm that blackhat hackers can cause to legitimate people. There is a time and place for us to objectively learn more about their culture, technology, and economy for our own well being.
Re: (Score:1, Insightful)
Probably a troll, but I'll bite.
1. Regardless of your knee-jerk reaction to being interested in how "bad people" think, they ARE fascinating, and often very fruitful to study.
2. Assuming you didn't RTFA, I don't see anywhere where he glamorizes black hats.
3. This is akin to a cop going undercover to find out how criminals operate, you think they should be tossed in jail too?
Security research REQUIRES you to think like the "bad guys", it just comes with the territory.
Re: (Score:3, Insightful)
a cop going undercover to find out how criminals operate
This is a cop, who has an official, documented undercover task, but this man is a civilian associating with criminals on his own will. It is his duty to report the crime in progress.
Otherwise any gang member could say: "I am a sociologist. I was studying the way murderers and thieves operate and think. This is why I was on the crime scene."
Probably you are lucky and were not a victim of these bot-nets and trojans' writers. But these are just about the same crime tools as picklock, gun, ax, etc. And these pe
Re: (Score:1)
One can well be a good talented programmer and be fascinated by pretty much anything.
Re: (Score:1)
a cop going undercover to find out how criminals operate
This is a cop, who has an official, documented undercover task, but this man is a civilian associating with criminals on his own will. It is his duty to report the crime in progress.
Otherwise any gang member could say: "I am a sociologist. I was studying the way murderers and thieves operate and think. This is why I was on the crime scene."
Where does Hansen say he was "present at the crime scene"? I assume his contacts didn't give him any incriminating details, so what crimes in progress does he have a duty to report? If he did participate in any crimes, then he is obviously culpable. Otherwise it is a similar situation to a reporter interviewing a criminal, though again a security researcher is lacking the special protections reporters get for that sort of thing.
Probably you are lucky and were not a victim of these bot-nets and trojans' writers. But these are just about the same crime tools as picklock, gun, ax, etc. And these people are robbers, who just use some other tools.
No, I've had systems compromised quite a few times before I knew any better,
Re: (Score:1)
I've had systems compromised quite a few times before I knew any better, and had to clean up after many people who have had their systems compromised as well. Although if you mean I haven't been a "serious victim" I guess you are correct, though that wouldn't change my attitude about it. Not studying the problem is a sure-fire way to remain vulnerable to it.
Security technology alone cannot protect against this crime, the same way as a helmet and bullet-resistant vest cannot protect by itself, the same as a steel reinforced door cannot protect by itself.
The law enforcement and our rejection of this type of criminal behavior are necessary too. These people are not Robin Hoods, they are thieves, who steal from families and destroy companies. And it is a pity that a "security professional" associates with them.
There is a difference with a journalist interviewing a
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Your fascination with them is unjustified. It is like a person, who likes to knit, would be fascinated by a criminal, who, say, strangle people by a cord.
it's more like if you like to knit, and is fascinated by someone who knits mind-controlling socks and gets millions of people to wear them on a day-by-day basis without them noticing it.
false equivalency (Score:1)
Whoa, whoa, hold on there a minute!
The botnet is "just about the same" as a stolen gun, a stolen axe, stolen lockpicks, etc. Generic tools have no inherent moral dimension; lockpicks can be used to save a baby locked in a burning building, an axe can be used to build a house for a homeless person, a gun can be used to defend against criminals or to hunt for food.
A tool only h
Re: (Score:2)
Good point. I agree with you that it is a continuous theft.
Re: (Score:1)
Hansen's model? (Score:2, Insightful)
He's reposting word for word what happens on a daily basis and its his model? Is anyone else slightly confused by this?
Though TFA does at least mention "This model makes sense on a number of levels and may well have been implemented already."
Theres even underground exchanges between the various botnet holders to some extent. If botnet controller A does not have enough(or any) compromised machines related to a target in one of his customers shopping lists he'll go to botnet controller B, C, or d-z in order t
I can already see the ticker (Score:2)
That's the shittiest business model EVER! (Score:1)
Re: (Score:1, Insightful)
SlappyBastard wrote:
That's absolute nonsense (unless you're going to use a definition of 'wealth' gamed to mean 'something created in arbitrage'). It's easily proved wrong by simple thought experiments. If I make a chair, I am wealthier by one chair. It doesn't matter whether or not anyone else is willing to pay for the chair. You may be able to argue that if I need something I can't make for myself that the financial system I have to rely on to get has arbitrage as an int
Reality check (Score:1)
My new BotNet... (Score:2)
Hey, I just launched a new BotNet on 127.0.0.1 so if anyone wants to
****** CARRIER LOST *******
Be careful what you wish for. (Score:4, Insightful)
And what happens to FOSS developers who accidentally leave a bug in their code?
Re: (Score:2)
Yes, such a disclaimer of warranty is in the Windows EULA that you agree to when using the product and has been since the beginning.
Re: (Score:1)
Re: (Score:2)
If it were that simple that one was free of an implied warranty by being non-commercial there would be no point in putting a disclaimer of warranty in the licenses of FOSS software. The issue, though, isn't as clear as you would like it to seem.
Re: (Score:2)
The obligation doesn't come from the product, it comes from the fact they ask you to pay for it.
Re: (Score:3, Informative)
Maybe you should read the Windows EULA?
Microsoft and its suppliers provide the Software and support services (if any) AS IS AND WITH ALL FAULTS, and hereby disclaim all other warranties and conditions, whether express, implied or statutory, including, but not limited to, any (if any) implied warranties, duties or conditions of merchantability, of fitness for a particular purpose, of reliability or availability, of accuracy or completeness of responses, of results, of workmanlike effort, of lack of viruses,
Re: (Score:2)
Oh, I'm not talking about what it is, I'm talking about what it should be, legally. And EULAs are not above the law. In fact, EULAs (presented after the sale, as in this case) are not even valid in some countries, like Germany.
Re:I can't believe we are still discussing this .. (Score:5, Insightful)
1. Windows / [insert other exploitable program here (ie. Flash/Adobe PDF reader)]
2. Stupid users
If your user downloads and runs malware, there's almost nothing your OS can do to stop it. The only way to stop it is to force application signing... but who really wants that?
So tell me, which OS would you choose that could stop all malware even with stupid users?
Re: (Score:2)
It would be interesting if enough unsophisticated users who unknowingly run bots decided that something like the iPad is "good enough" for them and they got rid of their PC. I say would be because it's not going to happen.
But to answer your questions, very casual users, and iPhone OS.
Re: (Score:1)
even app signing wouldn't work, it would ahve to be open enough to allow small outfits to produce code, and would need to allow dev to test run their code prior to the app signing. Both of those are holes, whats to stop a hacker from making a legit app and then using the same cert on both it and the malware?
*nix without admin rights, and their home dir mounted no_exec with backup taken every 6 hours, admined by dell/HP/etc. No way to install a new app, and no way to run something from the home dir, probl
Re: (Score:2)
*nix without admin rights, and their home dir mounted no_exec with backup taken every 6 hours, admined by dell/HP/etc. No way to install a new app, and no way to run something from the home dir, problem solved.
I guess we need to add the criteria of 'user needs to be productive'.
You can do that in Windows as well, by the way. GPOs and NTFS permissions are wonderful little toys.
Re: (Score:1)
Re: (Score:2)
Why?
Re: (Score:2)
Why? They can set up their own repositories, and the software would warn user about updates. They don't have to rely on distros' repositories.
It's true that they would have to make multiple packages, but that's not exactly astrophysics, and can easily be automated in the build process. And the repository itself is usually little more than an HTTP server with a particular directory layout.
Re: (Score:2)
The solution, is obvious too: use another operating system.
And when the windows l^Husers switch to another operating system and want to see their dancing bunnies, then what?
Re: (Score:2)
Re: (Score:2)
It's not quite that simple. Proving that a product as complex as a consumer-level GUI operating system is bug-free and secure is in general an undecideable problem.
We can't even prove that our critical, lower-level embedded software (aerospace, health-related, etc) is bug-free, and this is why there is substantially more effort put into ensuring that such software is of high quality. For example there are extensive regulations [wikipedia.org] on how exhaustively testing must be done on various components of an aviation-r
Re: (Score:2)
We can't even prove that our critical, lower-level embedded software (aerospace, health-related, etc) is bug-free
Car braking software...
Re: (Score:2)
We are making Toyota responsible for all the incidents, and possible future incidents with their acceleration issues, aren't we? Why not hold microsoft responible for their own products too?
You mean other than the fact that the EULA you agree to when using Windows says that Microsoft disclaims all warranties and Toyota has no such contractual agreement with purchasers of their car? And before you go on about being able to ignore that and claiming EULAs are unenforceable (which is a common slashdot meme but it is wrong) then you would have to say that any such disclaimers in FOSS software would be null and void too thus opening them up to being held responsible for any bugs in their software.