Study finds the average price for renting a botnet

Based on an experiment conducted by researchers from VeriSign’s iDefense Intelligence Operations Team, involving 25 different "rent a botnet/DDoS for hire" underground marketplace propositions, they were able to conclude that the average price for renting a botnet is $67 for 24 hours, and $9 for hourly access.

With only two static things within the underground marketplace that I can think of right now - greed and potential for growth, personally, I think that static price lists for a particular service don't fall within this category.

Here's why.

The dynamics of the underground marketplace, have greatly matured throughout the past couple of years. The logical shift from static pricing lists, to the embracing of multiple pricing schemes such as price discrimination (differentiated pricing), or penetration pricing, naturally resulted in different prices for different targeted groups.

Basically, the propositions analyzed by iDefense, can be best described as variables that are tailored to different customers.

For instance, starting from the basic fact that cybercriminals actively multitask on multiple fronts, and the fact that access to botnets as an asset is a commodity good within the underground marketplace these days, certain propositions will even offer the "botnet for hire" option as a bonus/value-added service.

Moreover, what differentiates the sampled services from the hardcore IT underground ones, is the fact that the majority of these explicitly state that they reserve their right not to attack (any) government web sites, or engage in activities that will attract attention to their activities.

On the other hand, the hardcore "rent a botnet" services will not only charge larger sums of money, but may even ask for another cybercriminal to vouch for the new customer in an attempt to limit curious researchers from finding out more about their infrastructure.

One of the most novel approaches for acquiring new clients I've seen in a while, is a weird combination consisting of direct DDoS extortion, followed by penalties for delayed response -- true mafia style that's for sure -- and the offering of 30% discount in case the victim wants to DDoS the competition once he pays the ransom.

Not only is the company in question a victim of DDoS extortion, but once it pays it's offered a 30% discount if it rents the service from the same extortionists, as well as a "protection" with the extortionists promising to turn down offers from the competitors wanting to attack the now "protected customer".

Surreal, but a fact. Here's an excerpt from the actual DDoS extortion letter:

"Hello. If you want to continue having your site operational, you must pay us 10 000 rubles monthly. Attention! Starting as of DATE your site will be a subject to a DDoS attack. Your site will remain unavailable until you pay us. The first attack will involve 2,000 bots. If you contact the companies involved in the protection of DDoS-attacks and they begin to block our bots, we will increase the number of bots to 50 000, and the protection of 50 000 bots is very, very expensive.

You will also receive several bonuses. 1. 30% discount if you request DDoS attack on your competitors/enemies. Fair market value ddos attacks a simple site is about $ 100 per night, for you it will cost only 70 $ per day. 2. If we turn to your competitors / enemies, to make an attack on your site, then we deny them."

The long term trends regarding botnets for hire or DDoS for hire services, look pretty disturbing due to a simple fact - based on the never decreasing supply of malware infected hosts, no matter how low they price their services, they will always make a profit out of it, in between increasing the availability of such services to the general public.

From another perspective, this very same "general public" is slowly starting to realize that sometimes, experience cannot be outsourced.

Image courtesy of a famous (in 2007), now taken offline botnet for hire service. Tip of the iceberg within the cybercrime ecosystem.