Yury Namestnikov, a security researcher with Kaspersky Laboratories, a Moscow-based IT security firm, says the past 10 years have seen botnets evolve from small networks of a dozen PCs controlled from a single C&C (command and control centre) into sophisticated distributed systems comprising millions of computers with decentralised control.
Poor security on home PCs is largely to blame for the prevalence of botnets, says Namestnikov. Botnet masters sell or rent their networks to other cybercriminals at prices that differ according to the criminal's purpose (see below). Some are suspected of taking government commissions to mask the identity of the real attacker.
More and more botnet masters are using so-called fast flux technology that changes the sending website address every few minutes. This is to avoid detection and preserve their networks. "Fast flux is better than proxy servers at hiding fake websites on the web," says Namestnikov.
Some botnets are used to defraud online advertisers. Botnets can send a single click from each PC to the target advertisement, such as a competitor's Google Adwords advert, to drive up their costs.
According to Click Forensics, fraudulent clicks dropped from a record 17% late last year to 14% in the first quarter of 2009.
"Click fraud traffic from malicious scripted programmes increased in Q1 2009," the firm said. Unlike botnets or malware, these new threats are simple Javascript programmes that execute upon a page view or site visit. Ad networks were found to be especially vulnerable to these attacks during the quarter, it said.
Most click fraud from outside the US came from Canada, UK and Germany, it said.
Botnet price list
Botnet masters have several main sources of income: distributed denial of service (DDoS) attacks, theft of confidential information, spam, phishing, search engine optimisation (SEO) spam, advertising click fraud, and distribution of adware and malicious programmes.
Kaspersky Laboratories has researched prices of illegal applications advertised in chat rooms and clandestine websites to reveal that:
* Hiring a botnet for DDoS attacks costs from $50 to thousands of dollars for a continuous 24-hour attack.
* Stolen bank account details vary from $1 to $1,500 depending on the level of detail and account balance.
* Personal data capable of allowing the criminals to open accounts in stolen names costs $5 to $8 for US citizens; two or three times that for EU citizens.
* A list of one million email addresses costs between $20 and $100; spammers charge $150 to $200 extra for doing the mailshot.
* Targeted spam mailshots can cost from $70 for a few thousand names to $1,000 of tens of millions of names.
* User accounts for paid online services and games stores such as Steam go for $7 to $15 per account.
* Phishers pay $1,000 to $2,000 a month for access to fast flux botnets
* Spam to optimise a search engine ranking is about $300 per month.
* Adware and malware installation ranges from 30 cents to $1.50 for each program installed. But rates for infecting a computer can vary widely, from $3 in China to $120 in the US, per computer.
This article was first published by Computer Weekly