Build, buy, or lease? The 15-minute botnet

by Avi Turiel

Anti-MalwareMalware AnalysisWeb Security

Becoming an Internet criminal is getting easier and easier. With only a few hundred dollars in hand and an Internet connection, anyone can obtain the software and support to build a botnet. And after the initial outlay of cash, a criminal botmaster can quickly realize a significant return on investment through malware distribution, spam, phishing, and even DDoS attacks.

Because the software required to launch a proper botnet is complex and time-consuming to develop, entrepreneurial criminals with a talent for coding are cashing in on botnet purchase and rental schemes by developing the software and then selling it or even leasing use of it — think AWS for the criminally-inclined.

Become Master of Your Own Bot

For criminals concerned about time-to-market, a basic botnet can be constructed in approximately 15 to 20 minutes, once the criminal has decided the purpose of the botnet and determined what key components are needed. Online vendors, tools, and even sponsors are available to help with the construction. Builder kits are available for purchase online and a keyword search can get you to the right website in under five minutes. Once the botnet kit is purchased and made ready, the criminal simply needs to determine the payload, which is usually available in the chosen kit. Set-up of the C&C server is simple using a web host or online cloud service provider.

Cyren researchers examined the steps involved to set up a Zeus Botnet based on freely available software. There are two major steps that must be taken before the malware can be distributed:

  • Set up the server.
  • Assemble the malware.

zeus install.jpg

Simply clicking ‘Install’ sets the Zeus botnet process in motion.

zeus install 2.jpg

Zeus botnet install on Linux server

Step One: Set Up the Server

To set up the server, the wannabe botnet owner would install the Zeus 2.0.9.15 Management Panel on a Linux server with an Apache Web server and other components. Once the Linux environment is set up, the Zeus software is simply copied over from a zip file. After a few permission changes, the setup process can be activated from any Web browser.

With the installation complete, the Zeus control panel can now be accessed from any Web browser.

Step Two: Assembling the Malware

The next step is assembling the Zeus malware. Naturally the malware has to be adapted to the newly created management server or C&C.  In this instance, the soon-to-be bot owner is in luck, because the creator of the Zeus 2.0.9.15 Management Panel has streamlined the process to make it relatively easy.  

zeus build malware.jpg

Zeus bot configuration and executable builder

To assemble the Zeus malware, the bot owner must first:

  • Set up configuration data which includes all the details of the server.
  • Build the bot configuration using the provided details and using a JPG image.  The bot configuration data is embedded into the JPG using steganography (see p. 20).

The result is a bot configuration file and encrypted configuration inside a JPG image. Then the bot owner:

  • Builds the bot executable file from these components
  • Saves the bot executable with a filename that will match the distribution campaign, for example “invoice.exe”.  

For the aspiring “bot businessperson”, the more challenging part of the setup is the distribution. As mentioned in the Botnet 101 article on p. 3, this can be performed using another existing botnet. For example, the executable file can be distributed as zipped email attachments. A look at the panel after the first victim is infected shows the new bot is now available for commanding.

zeus operating.jpg

Zeus control panel with 1st bot connected.

FOR RENT: Botnet. Low Price. Great Location.

Rental is also an option. For as little as pennies a day and a PayPal account, any novice or experienced cybercriminal can rent a botnet. Stressers and booters, as they are known in the cybercrime world, are online services offered by cybercriminals to provide customers with DDoS capabilities, usually for a nominal fee. By utilizing the software as a service (SaaS) subscription model, the average denial of service package might only cost an aspiring cybercriminal $0.66 per day or $19.99/month. Deluxe packages cost $34.99 month....

Success Requires Planning

More serious botnet entrepreneurs will begin with a business plan that outlines their target victims and forecasts revenues and costs. Security analysts estimate that, if done right, botnets can garner criminals from hundreds of thousands to millions of dollars a year. And consider that most serious botmasters manage more than one botnet. Botnet operators may also vary their campaigns and payloads and target different groups of victims, specializing in certain niches, as in any industry.

The chief takeaway is to understand that botnet and malware developer tools are exceptionally easy and cheap to procure on the Internet, even for the most unsophisticated users. With only a beginner’s knowledge, criminals can leverage basic point-and-click build-your-own botnet kits and begin stealing money and data with minimal effort.

To get further up to speed on everything botnet, download Cyren's free special threat report on botnets.


 Want to learn more about cloud-based email & web security? Contact us here!

Go back