The Malware Business Model

We hear a lot about various security or privacy problems throughout the world and we correctly fear for our digital safety; but we seldom stop to consider the intentions of these attackers and why our data is so important.  As I've mentioned before, the issues surrounding our digital culture aren't so much privacy as they are data ownership; and the first step to ensuring that you own your data, is to ensure that you own your computer.

We tend to think of botnets as being a collection of bots, or infected computers, that are nothing more than zombies. And while this may have been true at one point, this is no longer the case: bots are not zombies. The infection that haunts them is far more subtle than anything resembling a "zombie," and recognizing that you're a bot takes far more effort than most users are capable of exerting. Simply put: You can be a bot and never know it.

After all, the owner of the botnet is not interested in your computer: You are the tool being used to achieve a higher purpose. Keeping you oblivious keeps you from doing pesky things like reinstalling Windows or calling Geek Squad, so there are a lot of reasons for an attacker to be extremely subtle in their use of your computer.

So what is a botnet?

A botnet is a collection of bots, or compromised computers, that are centrally controlled through different protocols. We could spend hours on the different command and control methods and the protocols used by botnets, but that will be covered in a subsequent post looking at protection methods. For now, it serves our purpose to think of a botnet as a collection of bots controlled by a text messaging service known as the Internet Relay Chat, or IRC.  A malicious attacker has bots connect to an IRC chat room where the operator issues (physically or through scripts) commands to bots based on their objective.

These objectives can vary greatly, but the underlying fact is this: these attackers are running a business. Within this business, their botnet acts as a sort of geographically dispersed server farm that can provide a wide array of services that the botnet owner can sell to the highest bidder. 

Proxy Servers

Imagine that you wanted to breach a bank's cyber security measures, but you didn't want to be easily traced. You would likely utilize something known as a Proxy Server that acts on your behalf and obfuscates your identity.

Source: Wikipedia

Source: Wikipedia

Defenders of the bank would see your incoming traffic as originating from the Proxy, but law enforcement could simply subpoena your information from the Proxy and determine your identity.  So what if you used a personal computer by an old lady in Georgia, and a business man in China, and a laptop in Germany? 

This provides multiple layers of obfuscation and creates a huge international incident were law enforcement to attempt to extract this information from citizens of other countries; so they typically don't.

Distributed Denial of Service (DDOS)

While the first service that a botnet operator can sell is defensive, the Distributed Denial of Service (DDOS) is the simplest, most brutish, and least technical service available to a black hat business man. A botnet simply floods a target with traffic as to crash the network infrastructure and render it inoperable to legitimate users: to the economic and tactical disadvantage of the target.

Massively Parallel Processing

These next two are the only services that actually place a large amount of value on the number of bots within a botnet. The first is Massively Parallel Processing, or the use of multiple (e.g. hundreds or thousands) of processing units (bots) to solve complex problems.  Not all uses of Massively Parallel Processing is nefarious, Hadoop is a perfect example of a legitimate use, but black hat hackers would be more interested in using your computer for cracking the password of their intended target.

Password cracking involves taking a hashed (think: obfuscated, but not encrypted) password, guessing what it might be, hashing your guess with the same algorithms, and then comparing the two hashed strings.  If the hashes are identical, then you've guessed the correct password; otherwise, you have to guess again.  Individual computers can make millions of guesses every second, but given the infinite (near enough at least) number of combinations, this requires a lot of computing power. Botnets help with this.

Src: Department of Homeland Security

(Dark) Search Engine Optimization

Search Engine Optimization (SEO) is an offshoot of marketing that is primarily interested in optimizing a website's ranking on search engine queries. The overall goal is to have your website be placed at the top of the results of a search engine query related to your website's topic (for example: Easy Runner wants to show up when I search for "Running Shoes"). Dark Search Engine Optimization is the malicious use of search engine algorithims to artificially rank your website in search engine results through things like keyword stuffing, or by artificially driving traffic to an illegitmate website and making it appear legitimate.

So why is this a malicious service? Promoting a website to the top of the results can lead victims to your website where you can install cookies or malware through drive-by-downloads (discussed below).

Affiliate Marketing

Affiliate Marketing is a fancy term for referring people to products on the internet.  Essentially, if you sign up as an affiliate for a retailer (like Amazon), whenever someone clicks on one of your links, you get a portion of the proceeds.  With botnets, this can be abused by having bots click on these links to order products for their victims, the affiliate gets a kickback, and most victims are stuck with a product that they must keep or return.


Spam operates as a vehicle for a whole lot of other nastiness, some of which we'll cover below. But even when it isn't operating as a vehicle, spam is a lot like junk mail for the Internet.  It costs very little to send out to everyone, so they send it to everyone. However, it takes postal workers to send out this amount of junk mail, and that's where botnets come in.

Social Engineering

Social engineering is the overarching construct of using the human element to gather information about a target or influence an individual to perform a desired action. Phishing is probably the most commonly known type of social engineering, but it's far from the only example.  Anything that gets you to do something you wouldn't normally do in order to benefit the attacker is social engineering.  Take the Islamic State of Iraq and Syria for example.  They use botnets to game Twitter hashtags in order to influence the way in which the media perceives them. 


Malware Delivery

The final service that botnets can provide their owners is that of malware delivery.  Malware is any software that runs on a system without the owners' informed consent, typically to the owners' detriment. There are various types of malware, including:  Spyware, KeyloggersWorms, Viruses, Adware, Trojans, and Rootkits. These software packages can be packed, obfuscated, and delivered through something known as a drive-by-download, where a user visits a website and the malware is automatically installed, through spam, or through direct computer access. 

So what is the Malware Business Model?

The Malware Business Model is an attempt to understand the business cases used by hackers in order to better understand how to prevent their success. Now, obviously, there isn't much of a hacker manifesto that outlines the best practices of hacking, but we can infer one from the Certified Ethical Hackers who act as the good guys: Breaking our stuff and showing us how to fix it. According to the Ethical Hacking material, a successful attack is broken down into five distinct stages:

In the Reconnaissance stage, attackers gather knowledge about their targets (both with and without their knowledge) through tools like: WHOIS,, Netcraft, NSLOOKUP, Trace Route, or using a combination of spam and drive-by-downloads to log IP addresses. 

In Scanning and Enumeration the attackers attempt to gain detailed information about the network of their target and start developing a way to manage it. It's essentially network administration for nefarious reasons, and they use a lot of the same tools: Including SNMP.

Once the attackers know enough information to act, they Gain Access to the network by attempting to compromise the login credentials of an administrator, user, or SNMP account.  They can do this by using a botnet to attempt to crack a password through a brute force attack, through the use of a rainbow table, or by changing the password in DOS.

The focus then moves on to attempting to Maintain Their Access to the network's resources and actually carry out the attack.  This step varies wildly depending on the intentions of the attacker and can range from data recovery, data deletion, or installing malware.

Once the attack is completed (or in progress), the attackers attempt to Cover Their Tracks and avoid detection to enable the completion of their primary mission and to avoid being held accountable for their actions.

Now, why is this important? I think this perspective is one that we don't often see, and it's imperative to understand your adversaries in order to protect yourself against them. Hacking is no longer the domain of bored geeks; it's a thriving business model. These botnets have complex hierarchies of command and control with various configurations to enable different advantages (speed or redundancy) and different disadvantages (single point of failure or latency).

These botnets are not just used by the operator, their services are sold to customers in some twisted cloud computing service - and the malware is just another example of softwre as a service. Their attacks follow a fairly standard "industry best practice" model, and they're out to make money. They use metrics and business intelligence to shape their tactics, and they won't stop because of one defense mechanism.

If a tactic doesn't work or costs more than it's worth, then it will be changed. If a bot is too difficult to control, then it will be let go. This is a money-driven market just like any other; and understanding that concept will help you develop techniques to defend against it that might actually work. It's not about being unhackable - there's no such thing - it's about being economically unviable as an organization and individual, not just as an IT department.