Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Spam Botnet Businesses Security The Almighty Buck The Internet IT

The Coming Botnet Stock Exchange 105

Trailrunner7 writes "Robert Hansen, a security researcher and CEO of SecTheory, has been gleaning intelligence from professional attackers in recent months, having a series of off-the-record conversations with spammers and malicious hackers in an effort to gain insight into their tactics, mindset and motivation. 'He's not the type to hack randomly, he's only interested in targeted attacks with big payouts. Well, the more I thought about it the more I thought that this is a very solvable problem for bad guys. There are already other types of bad guys who do things like spam, steal credentials and DDoS. For that to work they need a botnet with thousands or millions of machines. The chances of a million machine botnet having compromised at least one machine within a target of interest is relatively high.' Hansen's solution to the hacker's problem provides a glimpse into a business model we might see in the not-too-distant future. It's an evolutionary version of the botnet-for-hire or malware-as-a-service model that's taken off in recent years. In Hansen's model, an attacker looking to infiltrate a specific network would not spend weeks throwing resources against machines in that network, looking for a weak spot and potentially raising the suspicion of the company's security team. Instead, he would contact a botmaster and give him a laundry list of the machines or IP addresses he's interested in compromising. If the botmaster already has his hooks into the network, the customer could then buy access directly into the network rather than spending his own time and resources trying to get in."
This discussion has been archived. No new comments can be posted.

The Coming Botnet Stock Exchange

Comments Filter:
  • Honeypot? (Score:4, Insightful)

    by dhanson865 ( 1134161 ) on Monday March 15, 2010 @01:27PM (#31485142)

    Yeah, interesting concept but the fear would be that the botnet owner would respond by saying knock, knock, the FBI is here (substitute the agency you think applies if the FBI isn't your cup of tea).

    If you do something yourself you know all the players. If you pay someone to do it you don't know if you are walking into a trap.

    disclaimer: I'm not too worried about this as I don't plan on taking either route.

    • Re:Honeypot? (Score:4, Interesting)

      by dch24 ( 904899 ) on Monday March 15, 2010 @01:38PM (#31485320) Journal
      Business does require a certain amount of trust, but it's amazing how money talks. For example, the conversation might go like this:

      "Uh, I don't trust you but I want to search your botnet. Strictly for research purposes."
      "I'm trustworthy. I control such-and-such handle over at such-and-such forum. I'm going to post '(some message)' in 5 minutes -- that proves it. But my botnet is expensive. Can you pay?"
      "Yeah, here's a paypal gift to prove I have funds."
      "Ok, I'm listening. What do you want?"
      (And the negotiation goes on from there.)

      This is an Apple-like vertical integration of services (but for botnets). The same guy who has "owned" the hardware offers "other services" on his "platform." I couldn't keep a straight face as I typed that.

      I don't really think this is a "stock exchange."
      • by waspleg ( 316038 )

        this has been done for years, it's just not money that changes hands it's other hacked accounts/access/etc, irc is where i saw it, i'm sure there are other venues as well.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      This particular problem already exists - and yet there are online exchanges to buy/swap/sell credit card information, bank account info etc. The risk is sold off - so if a guy has 1000 bank accounts (+pin + atm card number etc) with an average of $10,000 on each of them, he sells it to someone who will actually do the hard work at say $20 per account.

      Your argument would be the same at the exchanges too... but they exist and thrive. So, a botnet selling cloud computing power is not far fetched.

    • Re:Honeypot? (Score:5, Insightful)

      by fuzzyfuzzyfungus ( 1223518 ) on Monday March 15, 2010 @02:02PM (#31485694) Journal
      There is a notable risk for the botnet owner, as well.

      If I am a security guy for some entity that I fear may contain compromised systems, and potentially be the target of more focused attacks, I can use this hypothetical "botnet stock exchange" to verify my suspicions. "So, I'm interested in buying access to hosts within OWN_IP_BLOCK, anybody have some?" If no, breath slightly easier. If yes, I now know which of my hosts need serious inspection and rebuilding.

      Depending on exactly how the exchange is run, basic checks(ie. botnet or no botnet, not necessarily specific hosts) might well be cheap or even free. You don't have much of a market if people can't ask "Is anybody selling X?" and receive a useful answer. More specific answers would probably cost you, as would the services of the sorts of grey hats who work for white hats but can talk to black hats; but there are certainly circumstances where it could be cost effective.
      • > I'm interested in buying access to hosts within OWN_IP_BLOCK, anybody have some?

        Can this be mitigated? Is it realistic? Will you know how it was compromised?

        A primary means black hats use to measure trust for purchases is repeat sales to the same buyer (for differing needs) and maybe some illegal activity e.g. paid via illegal means (to filter out anyone that is constrained to only legal means). Passing those tests is difficult (although possible by professional white-hat-consultants, however white h

  • Bad title (Score:5, Insightful)

    by Galestar ( 1473827 ) on Monday March 15, 2010 @01:28PM (#31485148) Homepage
    How is this a "stock exchange"?
    • by K. S. Kyosuke ( 729550 ) on Monday March 15, 2010 @01:32PM (#31485224)
      I guess they are going to set up their office at Firewall Street.
    • by Anonymous Coward on Monday March 15, 2010 @01:41PM (#31485372)

      Both involve trusting your money to less than scrupulous people to do all the work for you in hopes that you'll get back more than you put in with no rational reason to back up this hope.

      Actually I take that back. The hackers will at least worry about their reputation.

    • by eviloverlordx ( 99809 ) on Monday March 15, 2010 @02:09PM (#31485778)

      Just wait. In a few years, they'll be applying for a bailout, too.

    • Re: (Score:2, Funny)

      by hatemonger ( 1671340 )
      Agreed. My first thought after reading the title was a large network of machines making microsecond stock purchases and sales with other machines, hoping that its algorithms are good enough to turn a profit. Some senior British official proposed a small fee per stock transaction to prevent that from happening, claiming that it would hurt the "buy and hold" stock purchasers, but I hadn't heard anything for a while. Samsonite? I was way off!
    • Re: (Score:1, Interesting)

      by Anonymous Coward
      It's also just an idea someone put out. There's now evidence it's "Coming". We've all been bitching about fraudulent Slashdot titles for years. I don't think they'll ever stop with the hype.
    • Real Stock Exchange:

      As best as I understand it that is pretty close to how real stock exchanges work. You don't necessarily sell shares just by saying you want to, someone else has to be prepared to buy them at the price you're asking. Nor can you buy them without someone offering to sell. The stock exchange keeps tracks of these offers and provides a mechanism to resolve them (OK, so there are stock brokers involved too, but this basic concept is how it works).

      Botnet/Compromised Host Stock Exchange

      • Stock Market: Company releases shares of itself to investors in order to raise capital. Investors purchase these shares as "equity" into that company.

        This: Hackers sell access to compromised computers.

        This is more like your typical shady arms dealer than a stock market. Heck, this is even more like your local 7-11 than it is like a stock market - you buy computers rather than milk and cigarettes.
  • Is SecTheory a harbor for these malicious users? Why does Hansen have such deep contacts?

    • Another question. (Score:3, Insightful)

      by khasim ( 1285 )

      He's not the type to hack randomly, he's only interested in targeted attacks with big payouts.

      Yeah, whatever. If I was an evil cracker I'd be damn sure to randomly target machines so I could use them for my targeted attacks. And I'd want a lot of them so I could bounce the attack through them to make it more difficult to find me.

      If anything, if this guy was such a great cracker/hacker, wouldn't he already know about the percentages? Cracking any single specific machine is difficult. Cracking any random mach

      • The basic principle of botnet herding obviously involves spamming botnet trojans through whatever vectors available, but it's the utilization of these resources that is discussed. Imagine what havoc a dedicated person could cause through, let's say, insider trading?
  • How to Pay? (Score:5, Funny)

    by MrTripps ( 1306469 ) on Monday March 15, 2010 @01:31PM (#31485208)
    So you have just hired a bot master. How do you pay them? You know they are dirty hackers, so it isn't like you would just give them your credit card number or Pay Pal account. Maybe the guy just wakes up and finds a crate of Jolt and Hot Pockets on his doorstep.
    • Obviously those leave traces all over the place, cash only.

    • Western Union. "From anywhere, to anyone".
    • Re: (Score:1, Informative)

      by Anonymous Coward

      This is one of those things you learn from RTFAing over the years. They use anonymizing proxies, just like they do for everything else: http://www.wired.com/science/discoveries/news/2006/12/72278

    • by v1 ( 525388 ) on Monday March 15, 2010 @01:50PM (#31485508) Homepage Journal

      I can hook you up with an acquaintance in Nigeria that's very good with money transfers aquaintenance, let me know.

    • by Aradorn ( 750787 )
      'OK, if I decide to do this, I'm gonna need an unlimited supply of Xena tapes, and Hot Pockets'.
      • Original line, which was also used in previews/commercials, was: "OK, if I decide to do this, I'm gonna need an unlimited supply of Star Trek tapes, and Hot Pockets."

        It was changed to "Xena" for the actual film.
    • Why not just use cash? You know like the classic brief case of greenbacks in a shady area of town.
      • Re:How to Pay? (Score:4, Informative)

        by St.Creed ( 853824 ) on Monday March 15, 2010 @03:20PM (#31487062)

        That would require physical access to the botnet-master (risky) or knowledge of the physical whereabouts of said person (risky again).

        No, I'd much rather set up a paypal account with a fake firm in Tonga, linked to another fake firm on the Cayman Isles. It's apparently impressively difficult to get any information out of Tonga regarding business owners, whatever their background. The same goes for the Cayman Isles. And you could always route it again through Tonga, for double fun. And you wouldn't even have to leave your house. And the best news: there are already providers for it. [offshore-p...sional.com]

        • The site you refer to doesn't seem to even provide a Tonga service. I also notice they pretend to be a country in themselves when marketing their Casino license service. Regretfully this field also has a lot of "black hats" operating within it, not necessarily these guys, yet the indications are there. When shopping for services like that its always better to look at vendors that operate from a slightly better regulated jurisdiction, like for example Cyprus. Here is an example http://www.internetincorporat [internetincorporate.com]
  • Cloud Computing FTW!!!
  • Can somebody do a survey of all of these infected machines and check what OS
    version they're running?

    If there's a growing number of Vista and Win 7 machines then someone should
    get back to MS and let them know whatever they're doing ain't working.

    With all of these security initiatives I'd have thought botnets would have been a shrinking
    problem - not something that was a growth industry as this article seems to indicate.

    • Re: (Score:3, Insightful)

      by Volante3192 ( 953645 )

      If there's a growing number of Vista and Win 7 machines then someone should
      get back to MS and let them know whatever they're doing ain't working.

      OS gains popularity, users on said OS want to see their dancing bunnies.

      An operating system is only as secure as the user behind it. I'd guarentee most of the people around here could run a secure, stable Windows system AND be productive on it. But these are the same people who know to surf with adblock, noscript, a firewall and NOT go looking for dancing bunnies

    • Re: (Score:2, Insightful)

      by Agarax ( 864558 )

      The problem isn't Windows, it's users that are willing to run free-porn.exe that is linked in facebook/email/whatever.

      Any operating system is only as secure as the user operating it.

      A properly configured Windows 7 machine with a solid antivirus, firewall, and a user who paid attention during 15-20 minutes of information assurance training would be a real bitch to exploit.

  • Why not use a botnet (Score:1, Interesting)

    by linzeal ( 197905 )
    To trade stocks in the first place? Buy some penny stocks/junk bonds whatever and get/steal/buy enough logins to various brokerages than just pump the price at an opportune time, take the money and run.
    • Why not use (Score:1, Insightful)

      by Anonymous Coward

      the comment field for your comment and the subject line for your subject?

    • My guess is that the organized cartels are already doing this.

      Except that the second you cash out and it is discovered that the stock was inflated by 100,000 hacked e-trade accounts, you are the number one suspect.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Sadly the latency would make then uncompetitive against Wall Street. They already have bots doing trading. [nytimes.com]

      Besides, do you seriously think you can out-crook the financial sector? These are people that can literally sell you nothing for a billion dollars and get away with it.

    • Re: (Score:2, Interesting)

      by Danimoth ( 852665 )
      This happens on a rather frequent basis. I work on a trading desk which sees some retail customer order flow. Every now and then fraudulent pump and dump stocks come to our attention. Its usually not too hard to figure out that some order for 5x the average daily volume in a penny stock is fraudulent. Not to hard to track down the customer to give them a call and find out that they had no idea their account was broken into. A much more effective way is to send the orders a few hundred or thousand share
    • It's already being done on fractions of a cent in arbitrage between the closes and opens of various stock and currency markets. All legitimate trades, mind you.

      Go back and look at the Societe Generale incident from 2008. And that guy was just working with Excel macros!!

  • crime (Score:2, Informative)

    by Max_W ( 812974 )

    I've been spending more and more time talking to blackhats lately. Frankly, I think they're fascinating people

    They are criminals who steal from people. Fascinating people? How sick.

    Glamorizing thieves and moral creeps is sending a wrong message especially to young people. If it were up to me I would lock this Robert Hansen into a jail together with his "blackhats" thieves and thrown away the key. This is where he and they belong.

    • "Mister Spock, you misunderstand us. We can be against him and admire him all at the same time."
      "Illogical."
      "Totally."

      --Space Seed

    • Re: (Score:3, Insightful)

      Be sure to lock up all those teachers who make children's plays based on Robin Hood.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      It is counter-productive for a security researcher to not be fascinated by these people. Your moralizing the issue only holds back any meaningful gathering of knowledge that can be used to mitigate the harm that blackhat hackers can cause to legitimate people. There is a time and place for us to objectively learn more about their culture, technology, and economy for our own well being.

    • Re: (Score:1, Insightful)

      by azmodean+1 ( 1328653 )

      Probably a troll, but I'll bite.

      1. Regardless of your knee-jerk reaction to being interested in how "bad people" think, they ARE fascinating, and often very fruitful to study.
      2. Assuming you didn't RTFA, I don't see anywhere where he glamorizes black hats.
      3. This is akin to a cop going undercover to find out how criminals operate, you think they should be tossed in jail too?

      Security research REQUIRES you to think like the "bad guys", it just comes with the territory.

      • Re: (Score:3, Insightful)

        by Max_W ( 812974 )

        a cop going undercover to find out how criminals operate

        This is a cop, who has an official, documented undercover task, but this man is a civilian associating with criminals on his own will. It is his duty to report the crime in progress.

        Otherwise any gang member could say: "I am a sociologist. I was studying the way murderers and thieves operate and think. This is why I was on the crime scene."

        Probably you are lucky and were not a victim of these bot-nets and trojans' writers. But these are just about the same crime tools as picklock, gun, ax, etc. And these pe

        • How in the world can you try and objectify others' fascination?

          One can well be a good talented programmer and be fascinated by pretty much anything.
        • a cop going undercover to find out how criminals operate

          This is a cop, who has an official, documented undercover task, but this man is a civilian associating with criminals on his own will. It is his duty to report the crime in progress.

          Otherwise any gang member could say: "I am a sociologist. I was studying the way murderers and thieves operate and think. This is why I was on the crime scene."

          Where does Hansen say he was "present at the crime scene"? I assume his contacts didn't give him any incriminating details, so what crimes in progress does he have a duty to report? If he did participate in any crimes, then he is obviously culpable. Otherwise it is a similar situation to a reporter interviewing a criminal, though again a security researcher is lacking the special protections reporters get for that sort of thing.

          Probably you are lucky and were not a victim of these bot-nets and trojans' writers. But these are just about the same crime tools as picklock, gun, ax, etc. And these people are robbers, who just use some other tools.

          No, I've had systems compromised quite a few times before I knew any better,

          • by Max_W ( 812974 )

            I've had systems compromised quite a few times before I knew any better, and had to clean up after many people who have had their systems compromised as well. Although if you mean I haven't been a "serious victim" I guess you are correct, though that wouldn't change my attitude about it. Not studying the problem is a sure-fire way to remain vulnerable to it.

            Security technology alone cannot protect against this crime, the same way as a helmet and bullet-resistant vest cannot protect by itself, the same as a steel reinforced door cannot protect by itself.

            The law enforcement and our rejection of this type of criminal behavior are necessary too. These people are not Robin Hoods, they are thieves, who steal from families and destroy companies. And it is a pity that a "security professional" associates with them.

            There is a difference with a journalist interviewing a

        • I find your moral reasoning lacking. What, you think that he'l "turn to the dark side"? That professional mercenary botnet/malware distributors actually care about "professional admiration" and will up their ante because of it? What is it that makes fascination with evil/amoral people inherently "wrong"?
        • "The head of the Department of Post-Mortem Communications shrugged and sighed. ‘Look,’ he said, as if weary of having to explain so often, and sighed again. ‘I am supposed to be the bad person as defined by university statute, right? I am supposed to listen at doors. Supposed to dabble in the black arts. I’ve got the skull ring. I’ve got the staff with the silver skull on it—’ ‘And a joke-shop mask?’ said Glenda. ‘Quite serviceable as a matter of f
        • by hoelk ( 1537469 )

          Your fascination with them is unjustified. It is like a person, who likes to knit, would be fascinated by a criminal, who, say, strangle people by a cord.

          it's more like if you like to knit, and is fascinated by someone who knits mind-controlling socks and gets millions of people to wear them on a day-by-day basis without them noticing it.

        • But these are just about the same crime tools as picklock, gun, ax, etc. And these people are robbers, who just use some other tools.

          Whoa, whoa, hold on there a minute!

          The botnet is "just about the same" as a stolen gun, a stolen axe, stolen lockpicks, etc. Generic tools have no inherent moral dimension; lockpicks can be used to save a baby locked in a burning building, an axe can be used to build a house for a homeless person, a gun can be used to defend against criminals or to hunt for food.

          A tool only h

    • Look, I hate to break it to you - "security researchers" are basically crackers with morals who, for obvious reasons, would like to live in civilized society without being ostracized. A lot of "them" go "a tad bit" neurotic because of the inherent contradictions in this, but that's how it is. And if you're incapable of feeling more than one emotion towards a thing, concept or person, you're severely emotionally underdeveloped.
  • Hansen's model? (Score:2, Insightful)

    by Ironhandx ( 1762146 )

    He's reposting word for word what happens on a daily basis and its his model? Is anyone else slightly confused by this?

    Though TFA does at least mention "This model makes sense on a number of levels and may well have been implemented already."

    Theres even underground exchanges between the various botnet holders to some extent. If botnet controller A does not have enough(or any) compromised machines related to a target in one of his customers shopping lists he'll go to botnet controller B, C, or d-z in order t

  • HX Stocks rose today, as they aquired Zues.
  • All wealth is created in arbitrage. All wealth arises in the differences between what I know, what I can do, what I want to do and what you know, what you can do and what you want to do. If you hand over your target information, you've closed the gap so much that profit will disappear altogether -- especially if the botnet owner involved figures out what he can gain from the target.
    • Re: (Score:1, Insightful)

      by Anonymous Coward

      SlappyBastard wrote:

      All wealth is created in arbitrage.

      That's absolute nonsense (unless you're going to use a definition of 'wealth' gamed to mean 'something created in arbitrage'). It's easily proved wrong by simple thought experiments. If I make a chair, I am wealthier by one chair. It doesn't matter whether or not anyone else is willing to pay for the chair. You may be able to argue that if I need something I can't make for myself that the financial system I have to rely on to get has arbitrage as an int

  • The concept seems sound and trades are not uncommon in the cracker world but this is not the problem. - "How do you know that your system is secure?" - "Aaaa, I have an antivirus and broadband router that is handling my Internet connection. That should keep me safe" - "Ok. And why are there all those ports opened on your router?" - "Well, I'm forwarding everything through it in order to be able to play _______" (Insert game name here) - "I see. Ok." An antivirus and a firewall will not help you if you are
  • Hey, I just launched a new BotNet on 127.0.0.1 so if anyone wants to
    ****** CARRIER LOST *******

"We don't care. We don't have to. We're the Phone Company."

Working...