Botnets, networks of compromised end-user computers and servers, are hugely sophisticated engines of computation and messaging these days – just like cloud computing. Botnet creators can now sell their criminal and fraudster clientele capabilities to do a variety of tasks, from trying to crack into banks to creating fake grassroots political campaigns.
Bots Grow Up, Get Meaner
The use of botnets for straightforward criminal activity is nothing new, of course. By marshaling the resources of hundreds of thousands of infected computers at any given time, botnet controllers can use sheer brute force to bring down relatively unprotected websites just be directing thousands of traffic requests per second. Or they can use such an event to mask a more surreptitious attack into a bank’s online data.
But botnets have become increasingly sophisticated in recent years. No longer just single-purpose, point-and-shoot networks of zombied computers, botnets now have the ability to change their network’s primary functionality and deliver shadow-cloud services to anyone who can pay, according to Shuman Ghosemajumder, once Google’s click fraud czar and now VP of Strategy at startup Shape Security.
Zeus is one such botnet, Ghosemajumder explained. There isn’t one single Zeus botnet, per se, but rather a very useful botnet kit for which hackers can purchase the binaries for as little as $700. The Zeus botnet that made the headlines this summer when Microsoft took down two Zeus botnet servers was only one implementation of the Zeus botnet tools in action. That one network alone was estimated to have 13 million zombied computers and was responsible for making off with $100 million – mostly by spoofing legitimate banking sites and making off with the victim’s funds when their valid login and password information was logged.
But Zeus is not just about stealing financial data. The software belongs to a new class of botnet software that goes beyond the special-purpose botnets and even the general malware-delivery botnets we’ve seen in the past. Zeus botnets can be adapted and retooled to meet specific client needs, effectively rendering the captured botnet machines into the very real equivalent of a cloud computing network.
Botnets To BotClouds
With geographically diverse nodes spread all over the planet and controlled by a fairly well-hidden network of command and control servers, one could argue that the botnets are even more resilient and “cloudy” than legitimate cloud networks, which still tend to be localized in key spots on the Internet.
Making the problem worse, Ghosemajumder added, is that criminals and spammers are no longer limited by their own technical expertise (or lack thereof) to implement their schemes. A whole new marketplace of Botnets-as-a-Service (BaaS) providers are cropping up, selling either the direct capabilities of the botnet to perform whatever the client needs, or selling the gains of botnet-gathered data to the highest bidder or through resellers. Think of it as Crime-as-a-Service.
Moving Beyond Smash-And-Grab
This data doesn’t have to be high-value credit card and banking information, either. Taking advantage of the fact that botnets, by their very nature, have multiple IP addresses within the network, zombied computers can be directed to sign up for fake social media accounts without much risk of detection. Those accounts can then be sold in bulk to resellers, creating a vast gray market that injects lot of money into the botnet owners’ pockets.
Search for “buy Facebook accounts” and you will quickly find the resellers of this kind of botnet-created data. Outfits like Buy Accounts Now and DataEntry Assistant may not be running the actual botnets that generate the fake Gmail, Hotmail, Facebook or Twitter accounts they are selling, but observers often charge that companies like this are reselling data that originally came from one of these botnets. For just $99, you can buy 1,000 Twitter accounts from DataEntry, with $250 getting you the same number of Facebook accounts. Need phone-verified Facebook accounts with multiple photos preloaded? That’ll cost you a lot more: $599 for 250 of those high-end babies. The phone-verified accounts cost more because they are more complicated to set up. You have to associate a real working number with each account.
Harming Already Precarious Business Models
This is a serious problem for social networks, because the presence of so many fake accounts can be as economically disruptive as spam in the inbox. Facebook released data in August that highlighted the known presence of 83 million fake accounts, 8.7% of its reported 955 million accounts at the time. Facebook started purging as many of these accounts as it could in September, but the damage was done, as advertisers began questioning payments to Facebook for ad clicks that could have very well been generated by false accounts.
The ripple effect of these fake accounts is still spreading. Those changes Facebook made in September to cut down on fake account- and user-generated spam also enacted changes in brand outreach policies that have seriously angered big-time customers like Mark Cuban, who are now looking to take their Facebook business elsewhere.
Eroding User Trust
End users of these social media services are also getting hurt by these fake accounts, directly or otherwise. Every week there’s a new Twitter campaign from fake accounts trying to phish users into signing up to see or get something that will actually hijack that user’s account.
Astroturfing, the practice of creating a grassroots campaign by flooding a social media channel or feedback sections on a website with seemingly legitimate comments, has gotten a big boost from these automated botnet-created accounts. The New York Times related this week the tale of a Washington State fight over a gay marriage referendum using apparent fake account to create a false sense of popularity.
“A group supportive of gay marriage pointed to the Facebook page of its rival, Preserve Marriage Washington, which collected thousands of ‘likes’ in a few short spurts. During those peaks, the pro-gay marriage group [Washington United for Marriage] said, the preponderance of the ‘likes’ came from far-flung cities like Bangkok and Vilnius, Lithuania, whose residents would seem to have little reason to care about a state referendum in Washington. The ‘likes’ then fell as suddenly as they had risen,” the Times reported.
Similar accusations of astroturfing and false popularity have been leveled in many political campaigns this year.
Social media manipulation is just one aspect of what these botnets-as-a-service can do. By delivering the resources of cloud computing into the hands of criminals and those who seek to defraud and manipulate, botnets will be a serious challenge for security organizations in the months ahead.