Call us Toll Free (USA): 1-833-844-9468     International: +1-603-280-4451 M-F 8am to 6pm EST

Botnets for rent, criminal services sold in the underground market

By Pierluigi Paganini, Editor-in-Chief

Internet is becoming a mine for criminals that in easy way are able to access to any kind of resources to arrange a cyber attacks, a cyber espionage campaign or a complex banking fraud.

What is very scaring is facility with which it is possible to acquire any kind of criminal services in the underground and the creativity of cyber criminals that are able to offer model of sale efficient as cheap.  In the past I proposed in different posts data related to the sales in the underground market, especially the Russian one that is considered the most active.

In the last month various malicious campaigns have been launched by cyber criminals with specific intent to infect the largest number of machine composing dangerous botnets. The availabilities of a great number of infected machine translates into the availability of valuable resources and services to be marketed by cybercrime gains considerable profits.

Cyber criminals are offering malware-infected-hosts, also known as loads, in a model of sale that proposes the monetization of bots activities through its rent of the compromised.

Of course the services offered are totally customizable, clients can choose the type of malware that infects the victims and their geographic location, it is possible rent US-based malware infected hosts or machine in European Union.

Security expert Dancho Danchev in a post on Webroot threat blog revealed newly launched underground service offering access to thousands of malware-infected machine for upsetting prices, a thousand US-based hosts costs $200 meanwhile for a thousand EU-based hosts price varies between $60/$120, and the price for a thousand international mix type of hosts is $20.

secu art

The different prices applied are calculated bases on purchasing power and long-term value of a malware-infected host, US users are considered by cybercriminal organization the most wealthy, the pricing policy is very diffused, in many cases the malicious services are sold to US users at higher prices, I add that probably there are also other consideration behind cost evaluation such as specificity of the demand in specific areas and cost to maintain alive botnet in countries in which cyber security is more responsive.

Dancho Danchev a couple of years ago conducted an interesting study on botnet renting:

“The logical shift from static pricing lists, to the embracing of multiple pricing schemes such as price discrimination (differentiated pricing), or penetration pricing, naturally resulted in different prices for different targeted groups.”

Which is the principal use of thousands of infected hosts?

Typically the criminals are interested to the arrangement of cyber frauds and a so wide number of machines could be used for launching related malicious and fraudulent campaigns, in other cases they search for new infected machine in possession of clean IP reputation. IP reputation is an essential component for the efficiency of botnets that is this way could be rent to spread various malicious agents.

The post highlight the use of “partitioned” access to botnet to further disseminate malware variants, in many cases security experts discover inter-connections between different malware families spread by the same group of compromised machines, circumstance that suggest the promiscuous use of the machine.

The model of sale appears ideal for those criminals that desire to spread malware without be bothered with botnet management and hosts recruiting, due this reason cyber criminals opt to rent an exploit service.

Damballa Labs recently investigated a criminal infrastructure being used by a person or group running a Critx exploit kit rental service.

The exploit kit is being rented or leased on its own criminal infrastructure, the cyber criminals have already build up the malicious infrastructures adopting al necessary precautions, such as multiple IP addresses and redundancy, to avoid botnet takedowns.

All a criminal would have to do is simply register a domain and point it to this infrastructure. Illustration 1 is a screen shot advertising the exploit kit and the actual cost to rent it for a given period of time.

citrix pack

Few months ago security researchers from Symantec discovered Malware-infected computers rented as proxy servers on the black market. Cyber criminals using a malware were able to turn infected computers into SOCKS proxy servers to which access is then sold, they used compromised host to power a commercial proxy service that tunnels potentially malicious traffic through them.

The example provided are the demonstration of how much prolific is the model of sale known as “malware as service”, a monetization schema that will we will encounter more and more often in the months to come.

Pierluigi Paganini

Sources: CDM and Cybercrime

cyberdefensegenius - ai chatbot

13th Anniversary Global InfoSec Awards for 2025 now open for super early bird packages! Winners Announced during RSAC 2025...

X