Botconomics: The Monetization of YOUR Digital Assets

A decade ago IF your PC was compromised it was usually just taken for a joy ride. Today, with the monetization of bots, ease of compromise, prevalence of malware, and increasing connectedness of endpoints on the Internet, WHEN your assets are compromised they’re subjected to something more akin to a chop shop.

To follow this vein (purely for amusement):

  • Seat belt == AV; If you’re hit, you’re a whooping 50% (note that that 50% number is pretty accurate, at least in the case of AV) less likely to get injured
  • Overhead and side curtain airbags == Good AV (or HIPS?); might suffocate you or rip your head off, but there to make you safer!
  • Alarm system == IDS; is anyone listening?
  • Anti-lock Braking System == NAC; a parking pass in the console and you’re in the building
  • CD case in the glove box == lift some CD license keys
  • Office Badge/ID == Paypal & ebay account credentials
  • Used in hit & run == DDoS attack
  • LoJack == IP reputation services –> subscription required
  • The Club == HIPS (pita)
  • Turning your car into one of those rolling advertisements.. Or towing one of those billboard trailers? Leaving a cloud of smoke and soot in your wake? == Why Spam, of course… (ok, really weak)
  • Body stuffed in the trunk, used for high-dollar drug or arms deal and dumped in the river == drop site
  • Wallet with some cash or CCs == score!; keylogger streaming PIN numbers, login credentials and secret question answers, mother’s maiden name, birth date, national ID number, etc.. to one of the aforementioned drop sites
  • Garage door opener and vehicle registration w/home address in the car — hrmmm…
  • Car thief picks up your girlfriend == phishing…? 🙂

OK, OK, enough of the bad analogies, I suspect you get the point or have stopped reading by now.

Ahh, but folks aren’t driving cars across the country anymore, they’re flying jet planes – Good thing we’ve got seat belts! And for you skeptics – not to worry, we’ve now got floatation devices if things get really ugly…

The point is, if you or anyone you do business with online is compromised, you’re at risk. Further – if anyone you do business with is online, you’re at risk. Need more? Someone that has you’re personal information does something with a networked system, and as a result, you’re at risk.

Think AV is protecting you? An IDS? Malware today is explicitly engineered around leading AV engines (e.g., ++580 Agobot variants), engines for which auto-update functions are disabled upon compromise via any of a number of techniques, from removing the programs or making them non-executable, to adding hosts.txt entries pointing to a local interface (e.g., — for the Internet address of the AV signature update server.

Entire bot systems exist with load-balanced command and control, real-time dynamic paritioning and multi-mode monetization capabilities based on the bot services consumer’s needs, etc..

The GOOD News for those bot services consumer:

[Taken verbatim from a recent spam message I received boasting ‘bullet proof [bp]’ hosting services:]

    • IPs that change every 10 minutes (with different ISPs)
    • Excellent ping and uptime
    • 100 uptime guarantee
    • Easy Control Panel to add or delete domains thru webinterfaces
    • …..

Bot herders have heard the public’s outcry for multi-mode bots, responding with SLAs, intuitive user interfaces, ISP redundancy and even excellent ping times! Heck, several pieces of malware perform speed tests to ‘top Internet sites’, indexing and allocating our resources based on availability and connectedness.

Need a turn-key phishing solution? For a small fee you can get a botnet partitioned to do all these things and more:

  • compromise based on exploit of your choice
  • patch owned hosts for exploit that was used to compromise, and perhaps a few other low-hanging vulnerabilities
  • allocate bot resources (control, drop, lift, host, spam, attack) based on connectedness
  • lift CD keys, install key loggers, lift passwords, account info, email addys, etc
  • setup a couple bots as drop sites
  • setup a couple bots as phishing site web servers
  • setup a couple sites as phishing email relays
  • setup a couple open proxies for access to any of the above
  • want to take it for a test drive, not a problem

and voila, you’re in business!

Ohh, and don’t forget the special operations bots at the ready in the event that an anti-{spam,bot,phishing} company actually impacts your operations.. Don’t believe me? Go ask BlueSecurity (note the link still doesn’t work), or our friends at CastleCops, or… Six months of DoS attack observation across 30 ISPs here at Arbor yielded well over one hundred days with at least one ISP reporting an attack of one million packets per second or better. Some trivial math (1,000,000 * 60 bytes per packet * 8 bits per byte == 480 Mbps), enough to take 99%++ of the enterprises on the Internet offline today.

I’m not knocking any of the solutions above, they’re all necessary (well, most of them) and serve some purpose. It’s little more than an arms race today and there is no Silver Bullet, it’s all about layered security and awareness. As good-minded security folk continue to innovate, so to do the miscreants. As they find more ways to pull more money from more compromised assets, the problem will continue to grow. You CAN and WILL be affected, whether directly or implicitly, whether you bank and buy stuff online or not – the merchants you deal with surely have networks of some sort. A good many of those merchants do make concerted efforts to protect their consumers – perhaps others see things like any of the slew of compliance standards as ‘I tried, get out of jail free’ waivers when they do get compromised.

Being aware that the problem exists is the first step towards making it suck less, or so one would hope.. Let’s just hope that the Internet’s open any-to-any connectivity, as molested today as it may be (much in the name of security, mind you), isn’t entirely lost in the process.

Bots and widespread compromise affect every aspect of our economy today, directly or implicitly. Therein enters our amalgamation; botconomics.

5 Responses to “Botconomics: The Monetization of YOUR Digital Assets”

June 19, 2007 at 3:20 pm, “Baiting” Web Surfers · Security to the Core | Arbor Networks Security Blog said:

[…] This methodical approach is consistent with an unnerving trend of attackers employing re-usable systems for future financial gain (see Danny’s “Botconomics” post to learn all about this). In the short-term, the attackers will likely employ the stolen financial information to build a larger network of compromised hosts. The attackers themselves can subsequently utilize that network, or they can seek some sort of “ROI” by “leasing” out the network to other attackers. Either way, this case further emphasizes the importance of security vendors and service providers doing as much as possible to provide Internet users with as safe a browsing experience as possible. While hosts should certainly be patched as quickly as possible, network security vendors (like us) are working with service providers who own the “pipes,” thereby allowing us to attack this problem from a different, hopefully more successful, perspective. […]

July 04, 2007 at 7:50 am, Miles Associates LLC » “Botconomics” said:

[…] Here is a great Arbor Networks blog entry: Botconomics… […]

April 01, 2008 at 3:03 am, fullc0de said:

I think we are all already at RISK. a huge amount of imformation of us is being floated on Internet while was polluted. So, we should effort to protect our own information with several knowleage at securiy.

April 02, 2008 at 9:45 am, Guy Huntington said:

The main obstacle in restricting growth of this criminal activity is not technology but international laws. Until governments in Eastern Europe, Asia and Africa join with Western governments in creating quick unified police response teams and legislation allowing cross-border operations, the wild west show continues.

The best enterprises can do is maintain many layers of defence and hire guns to defend them.


November 14, 2009 at 8:35 pm, Led Downlights said:

Great Article, and botconomics is fantastic also. Compromises for financial gain i can understand, what is even bigger a problem is malicious attacks, there needs to be a combined effort to eliminate this sort of activity.

Comments are closed.