According to Paul Spencer, general manager at security firm AEP Networks, cybercrime is now a business and botnets are the heart of the cybercrime infrastructure.
"[Reports of] the selling of the botnet by the Iranian Cyber Army doesn't come as any surprise as cyber criminals, just like any other criminals, need to find new ways to make money. But it's no longer just about making a quick buck. The potential for the botnet to be used in a targeted attack against critical infrastructure is very real", he said.
"With the goal of the Iranian Cyber Army to 'conquer virtual space', the move away from defacement attacks against Twitter and Baidu towards malicious botnets sees it aiming to fulfill its powerful objective", he added.
Over at Lumension, meanwhile, Alan Bentley, the IT security vendor's vice president of international, said that the Iranian Cyber Army's decision to sell its botnets is evidence of a more coordinated effort than ever before by the hacking community to execute targeted attacks.
"[While] this is certainly not the first case of malicious code being sold online, with the rise of highly complex attacks like Stuxnet and Zeus, the online hacker shops of old seem like childs play when compared to this new wave of collaborative cyber warfare", he said.
"Cyber criminals are no longer just intent on stealing personal details for a quick cash hit or on sending inconvenient spam emails. They have much bigger prizes in mind, and are creating mechanisms dedicated at corporate espionage and attacking against real-world infrastructures, such as power stations. These attacks are more targeted, more sophisticated, and more potent", he added.
Noa Bar Yosef, data security specialist Imperva's senior security strategist, said that, while botnet rental rates vary depending on a number of factors, prices are falling due to market competition.
There are, he said, many different aspects, which are taken into account when setting the price of a botnet rental – these include the size of the botnet; type of attack (e.g. spam, DDoS, credential fetching); target (military, private organizations, targeted or widespread); plus geo-location and the length of attack.
"A 24-hour DDoS attack can be anything from a mere $50 to several thousand dollars for a larger network attack. Spamming a million emails, given a list, ranges between $150–$200, [while] a monthly membership for phishing sites is roughly $2,000", he said.
Bar Yosef added that, in general, this type of rentware activity doesn't impact the detection of botnets, as many of the command and control servers use fast-flux technology.
This, he explained, is where the server constantly changes, so it is harder to find the 'brains' behind the zombies and take it down.