Security researcher spots digital hitmen hiring themselves out

According to Brian Krebs of the Krebs on Security newswire, hackers are openly competing to offer services that can take out a rival online business or to settle a score.

There are, he says, dozens of underground forums where members advertise their ability to execute debilitating DDoS attacks for a price.

"DDoS attack services tend to charge the same prices, and the average rate for taking a website offline is surprisingly affordable: about $5 to $10 per hour; $40 to $50 per day; $350-$400 a week; and upwards of $1,200 per month", he says in his latest security posting.

Of course, he notes, it pays to read the fine print before you enter into any contract.

Most DDoS services, he asserts, charge varying rates depending on the complexity of the target’s infrastructure, and how much lead time the attack service is given to size up the mark.

"Still, buying in bulk always helps: One service advertised on several fraud forums offered discounts for regular and wholesale customers", he says.

The unwitting conscripts in these cyber armies, the researcher adds, are hacked PCs that the service owners remotely control via malicious software.

"Some DDoS services disclose how many bots they have corralled into their armies. One service claims: `Average in-line bots from 1,500 to 5,000 bots, enough to work on challenging projects with an anti-DDoS protection, and protection type CISCO GUARD", he says,

"A DDoS gang that has been in operation for at least three years, sells a do-it-yourself DDoS kit that it markets as an easy way to build your own bot army. The Darkness DDoS army creation package includes a bot builder and a Web-based administration panel that is used to remotely monitor and control the bots", he adds.

Krebs goes on to say that, according to the Darkness creators, the bot is continuously being updated by testers and coders - reportedly in its ninth major revision.

Darkness claims, he notes, to be able to configure infected machines for use in four types of DDoS attacks at a moment's notice, and to steal passwords stored by a variety of web browsers and Windows programs.

What’s Hot on Infosecurity Magazine?