Inside BBC's Chimera botnet

Inside BBC's Chimera botnet

Summary: Earlier this month, the controversial BBC purchase of a botnet and modifying the infected hosts in the name of "public interest" sparked a lot of debate on the pros and cons of their action.

TOPICS: Security, Malware

Earlier this month, the controversial BBC purchase of a botnet and modifying the infected hosts in the name of "public interest" sparked a lot of debate on the pros and cons of their action. Condemned by certain security vendors, and naturally, at least from guerrilla PR perspective, applauded and encouraged as a awareness raising tactic by others, the discussion shifted from technical to moral and legal debate, leaving a single question unanswered - what is the name of the botnet that the BBC rented and what's so special about it?

Until now. Let's take a peek inside the BBC "Chimera Botnet" offered for rent by a Russian Cybercrime-as-a-service (CaaS) vendor.

While watching the BBC's Click programme, I was particularly surprised by the fact that the botnet's backend appeared to be a brand new one, presumably released in recent weeks. Digging a little deeper that proved to be the case with the managed botnet vendor starting to pitch it publicly at the beginning of the year. Moreover, being involved in profiling, obtaining and analyzing emerging exploitation platforms you learn that the genius in cyber threat intell lies in conducting your research without contributing to the cybercrime ecosystem by purchasing any of the releases - which is exactly how this analysis was conducted.

The Chimera botnet is courtesy of a Russian vendor developing web applications and backend systems for botnets, with a particular emphasis on coding malware for hire. Some of their most notable (public) releases include performance-boosting modifications within the Zeus crimeware kit, the introduction of a carding-theme within the kit (now an inseparable part of all the new versions), and integrating a MP3-player/online radio feature within the crimeware kit. The managed service offers two versions in a typical modular-malware fashion in this case for spamming and launching DDoS attacks, with the backend's interface exclusively based on the ExtJS AJAX framework, with the malware itself compatible with Windows SP sp1/2/3, and Windows Vista with the authors claiming it will run as an authorized application.

How much did the BBC pay for access to the managed botnet, and what are the chances that the sellers are involved in a countless number of hardcore cybercriminal activities? Interestingly, the (now down) vendor's site isn't exclusively offering the 20k infected hosts that the BBC purchases, thereby leaving the possibility for what may look like an overpriced deal. However, a price of $400 for a particular managed malware binary is cited, with the size of botnet changing proportionally with the vendor's malware campaigns circulating in the wild.

The whole "botnet fiasco" puts the spotlight on a dynamic cybercrime ecosystem with well-known vendors clearly working with one another. In this particular case, the vendor of the Chimera botnet is part of an affiliate network offering "localization on demand" services, namely, capable of empowering a Chinese cybercriminal with the ability to translate all of his spam/malware/phishing campaigns to a language of his choice, breaking the language barrier which often indicates the real origin of the campaign.

The disturbing part with such "malware for hire" and "botnets for rent" services is their emphasis on standardization which results in efficiencies and efficiencies themselves in cost-effective scalability. For instance, asked by a customer whether or not their backend can handle more than 50k of infected hosts before requesting a customer-tailored interface, the vendor responds that the last big botnet that they ported costing of 1.2 million hosts was working "just fine".

The Chimera botnet's vendor is currently in a cover-up mode, monitoring of their releases would continue.

Topics: Security, Malware

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Thank you, BBC.

    "The whole ?botnet fiasco? puts the spotlight on a dynamic cybercrime ecosystem with well-known vendors clearly working with one another."

    And that's why the BBC should be patted on the back instead of vilified. I've seen more tripe written by some of the better-known names in the security community who are more worked up about a law potentially being broken than they are about the laws that are actually being broken many times over with the creation and administration of these botnets.

    This ruckus will hopefully be the first step in getting many sides of this equation - PC owners, legislators, law enforcement, and security leaders - to finally take meaningful action in ending this scourge once and for all.
    • Even though I do have some agreement and disagreement with

      what BBC did, I have to disagree with you that even if law enforement and all these other people were to take action, it would be in the form of localized enforcement, which is why malware is so hard to stop. There is no international agreement to stop cyber criminals, and until 100% of all nations and countries agree to take effective action, there will always be someone setting up botnets, and vendoring them. Case in point how long has there been a drug war? The difference is that you are not going to be picking up cyber criminals the same way you do drug lords, as cyber criminals work anywhere they can jack into the net.
      • The solution is simple

        Make the creation of remotely exploitable software a criminal offense. Problem solved.

        For the drug war? Go after the people that are causing problems and leave everyone else alone. Most of the crime related to drugs is due to relatively safe ones being illegal, and hard ones like ethanol being state approved.
  • Doesnt everyone use botnets?

    I hear of people using them all the time to take down game servers that ban them. Seen it this past weekend.

    I still think that using the botnets for the folding at home program would be awesome.
  • RE: Inside BBC's Chimera botnet

    Great!!! thanks for sharing this information to us!
    <a href="">seslisohbet</a> <a href="">seslichat</a>
  • RE: Inside BBC's Chimera botnet

    ewet dedim ama neyse
    dogru deme
    tamam dedim