Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response

Botnets for the Masses

Created: 19 Dec 2012 11:02:47 GMT • Updated: 23 Jan 2014 18:10:55 GMT • Translations available: 日本語
Val S's picture
+1 1 Vote
Login to vote

Not so long ago, aspiring bot-herders, who wanted to get started with a botnet of their own, would have to hang out in the right circles or learn how to make one themselves. If they hung out in the right circles they would be provided with guidance and documentation to get started. If they were creative enough and had enough time and skill they could create their own from scratch.

But what if they didn’t have this skill set, or didn’t hang out in the right circles? Just like everything else, they could pay to have someone do it for them. The following examples of crimeware kits for sale have been found in various places on the Internet. Due to various reasons including, enabling the practice of crimeware and legal issues, we cannot confirm that the items being sold are legitimate.  Some have the characteristics of a scam due to inaccuracies in the description (old versions being touted as new) or pricing that does not reflect the going market rate.

Many of you reading this are probably wondering how these individuals are able to advertise and peddle their services, which are completely illegal, out in the open. These transactions often occur in the underground, or “deep web,” but sometimes happen out in the open web as well. The transactions usually happen on forums where people know each other, but we are seeing some on sites that sell other goods as well.

You are probably wondering if this is all a scam. Perhaps, most of the crimeware kit sellers are out for a quick profit, but some of these sites discussed below have a feedback system. Just like an auction and community selling website, a fraudster is not going to last long and will not profit in the long run with a bad reputation. But again, keep in mind that reviews can be from forged accounts or from friends.

Most people who stumble upon the following site would be surprised at the nice interface and professionalism. In addition to illicit items, users can find various categories of interest.  Unlike traditional selling methods seen in the past on underground forums (such as private messages), this site caters to those looking for a range of illegal goods. In this case, we are going to focus on what is under the "Services – Hacking" section.

Figure 1. Market control interface

The screen shot below shows a seller offering “Zeus Fully Setup Botnet + Bulletproof Hosting”. The site, as you can see, is professional looking and has an interface that rivals legitimate e-commerce and auction sites.

Figure 2. Zeus botnet for sale

The seller includes documentation, hosting, and a domain. The seller is offering the complete package for 23.10536 BTC or Bitcoins - $250 USD at time of this screenshot.

This Zeus seller also makes a compelling case to purchase his service, as the description states that he will provide all support, including:

  • Source code
  • Binaries
  • A builder
  • User guides
  • A control panel

In this example below, a question section allows buyers to ask sellers about the product. The answer from the seller reveals that this version of Zeus is outdated, as 1.2.7.11 has been around for a few years now.

Figure 3. Potential buyer asking questions

This seller offers SpyEye:

Figure 4. Spyeye botnet for sale

Figure 5. Seller profile

Just like many trusted e-commerce sites, this seller has a profile page, along with some statements. The seller is trying to provide compelling reasons to purchase his goods:

All my files are 100% virus safe and checked at VIRUSTOTAL.com

I am professional hacker and would never be stupid try to contaminate my customers, because it is script kiddie very ridiculous tek.  I definitively don’t need to lose my time.  I am elite attacking big companies, datacenters, goverments and high skill targets.  Who attacks PC-user are kiddies.

The seller below is advertising Citadel. We can assume this one is fake because Citadel is sold on underground forums in the Russian market, and has a strict vouching process where a prospective new buyer must be referred by someone else. Earlier this year there was a copy of the Citadel license agreement floating around, which stated that Citadel is for the Russian speaking market only and that reselling one-off builds of Citadel is forbidden. The price is also a red flag because it is lower than the market rate:

Figure 6. Fake advertisement for Citadel botnet

Not all sellers are selling their wares on the underground market. We came across this one out in the open, on a website that sells legitimate digital downloads:

Figure 7. Zeus advertised on legitimate download site

The following screen shot is from the same seller, this time offering a fully undetectable (FUD) version of Zeus.

Figure 8. FUD version of Zeus on legitimate download site

What is most interesting here is that this seller provides examples unlike the other sellers in the previous instances. In the “About this item” field the seller provides screenshots of the product, along with links of actual screenshots of victim’s bank records, to compel the prospective buyer to make a purchase. These could merely be grabs from other sources on the Internet, or they could be from the seller himself. The following are edited versions of the screenshots:

Figure 9. Screenshots of victim's bank accounts

The examples provided offer an interesting insight into the anonymous crimeware kit market. Previously, it was necessary to be a member of an exclusive community to purchase these files, but it appears that it is now getting easier. Although the logic of caveat emptor is out the door here, most enterprising criminals, both professional and amateur, who purchase these goods simply do not care. Usually, if they are scammed, it is the cost of doing business for them and they move on. For all of the scams floating around, it can be surmised that someone has to be selling a legitimate product and making a profit, both for the seller and for the criminal. In theory, as with legitimate items, it makes sense that the authors of these crimeware kits will want to distribute them as far and wide as possible (with exceptions, like the authors of Citadel) for a profit.

Observations:

  1. Due to the auction and e-commerce distribution model —if legitimate, these are not likely to be the latest versions of the crimeware kits, as the direct source of the packages are usually sold in member-only forums.
  2. Due to the inaccuracies and lack of descriptions, these versions are likely found elsewhere on the Internet and re-bundled.