Earlier this month, the controversial BBC purchase of a botnet and modifying the infected hosts in the name of "public interest" sparked a lot of debate on the pros and cons of their action. Condemned by certain security vendors, and naturally, at least from guerrilla PR perspective, applauded and encouraged as a awareness raising tactic by others, the discussion shifted from technical to moral and legal debate, leaving a single question unanswered - what is the name of the botnet that the BBC rented and what's so special about it?
Until now. Let's take a peek inside the BBC "Chimera Botnet" offered for rent by a Russian Cybercrime-as-a-service (CaaS) vendor.
While watching the BBC's Click programme, I was particularly surprised by the fact that the botnet's backend appeared to be a brand new one, presumably released in recent weeks. Digging a little deeper that proved to be the case with the managed botnet vendor starting to pitch it publicly at the beginning of the year. Moreover, being involved in profiling, obtaining and analyzing emerging exploitation platforms you learn that the genius in cyber threat intell lies in conducting your research without contributing to the cybercrime ecosystem by purchasing any of the releases - which is exactly how this analysis was conducted.
The Chimera botnet is courtesy of a Russian vendor developing web applications and backend systems for botnets, with a particular emphasis on coding malware for hire. Some of their most notable (public) releases include performance-boosting modifications within the Zeus crimeware kit, the introduction of a carding-theme within the kit (now an inseparable part of all the new versions), and integrating a MP3-player/online radio feature within the crimeware kit. The managed service offers two versions in a typical modular-malware fashion in this case for spamming and launching DDoS attacks, with the backend's interface exclusively based on the ExtJS AJAX framework, with the malware itself compatible with Windows SP sp1/2/3, and Windows Vista with the authors claiming it will run as an authorized application.
How much did the BBC pay for access to the managed botnet, and what are the chances that the sellers are involved in a countless number of hardcore cybercriminal activities? Interestingly, the (now down) vendor's site isn't exclusively offering the 20k infected hosts that the BBC purchases, thereby leaving the possibility for what may look like an overpriced deal. However, a price of $400 for a particular managed malware binary is cited, with the size of botnet changing proportionally with the vendor's malware campaigns circulating in the wild.
The whole "botnet fiasco" puts the spotlight on a dynamic cybercrime ecosystem with well-known vendors clearly working with one another. In this particular case, the vendor of the Chimera botnet is part of an affiliate network offering "localization on demand" services, namely, capable of empowering a Chinese cybercriminal with the ability to translate all of his spam/malware/phishing campaigns to a language of his choice, breaking the language barrier which often indicates the real origin of the campaign.
The disturbing part with such "malware for hire" and "botnets for rent" services is their emphasis on standardization which results in efficiencies and efficiencies themselves in cost-effective scalability. For instance, asked by a customer whether or not their backend can handle more than 50k of infected hosts before requesting a customer-tailored interface, the vendor responds that the last big botnet that they ported costing of 1.2 million hosts was working "just fine".
The Chimera botnet's vendor is currently in a cover-up mode, monitoring of their releases would continue.