How botnets grew into a global business

Botnets are more than a nuisance, they are also a business. A very big business.

The millions of machines in these global networks are the powerhouse of the net's underground economy. Industries have sprung up dedicated to creating them and keeping them running.

But how do you make money from a botnet? Let us count the ways.

The first way is at the creation phase because writing viruses that can compromise a PC is hard.

Many hi-tech crime gangs sell kits that automate the process of sending out viruses, infecting machines and forming them into a discrete botnet.

The Zeus kit is one of the most well-known of these and, when first released, cost a few thousand dollars in its basic form. The price climbed if customers bought modules to target specific technologies, such as Firefox forms, or other extras such as making an accompanying virus mutate every time it infected a new host.

For their money, buyers got regular updates and a technical support number to call. They also got a comprehensive tool to control all the PCs they ensnared.

The management console for the kit let botnet controllers interrogate the many machines they had taken over. Significantly, help files for these kits are typically written in English and Russian.

The Zeus kit was a big seller. At its height computers infected with the Zeus trojan were found in almost 200 countries and more than three million machines were infected with it.

In October 2010, 90 people were arrested in the US for being money mules who siphoned off funds stolen via Zeus. The FBI estimates that the criminals running the mules had stolen about $70m.

But if a kit is too technically challenging there are other ways to get hold of a botnet, said Jacques Erasmus, a senior security researcher at Webroot.

"You pay and they basically infect people for you," he said. Prices vary depending on which countries you want your victims to be based in.

"Thailand and India are cheap," he said. "Western Europe and the US are much more expensive as they are more likely to have banking services and credit cards, and those boxes are sure to be of more value."

Setting up a botnet of 30,000 victims this way would cost about $5,000 to set up, said Mr Erasmus.

That outlay is dwarfed by the potential return from unfettered access to a household's PC. That will be sizeable as 68% of home net users buy online and 55% bank online, according to statistics from the ONS. One problem botnet controllers face is the time it can take to plough through the long list of credit card numbers and bank accounts they suddenly have access to.

Those stolen cards and accounts can be plundered but the big risk for the average cyberthief is laundering the cash. They can contract out this stage but can lose up to 40% of the money stolen in fees to the laundering organisation. They also might get ripped off and lose everything.

It can be safer to sell lists of credit card numbers online, especially if the expiry date, CVV codes and other identifiers are included. Prices per card have dropped because so many have been stolen. A card with credit on it and the identifying details can fetch about $90 (£57). However, the vast majority of cards go for a few dollars each.

Bank account details are much more saleable and those with cash in them can fetch hundreds of dollars.

The best way to cash in with a botnet involves harnessing the computational horsepower of all those compromised boxes.

Veteran botnet dismantler Tillmann Werner from Kaspersky Labs said: "Spamming is usually the main purpose, but they typically get up to everything that pays."

Mr Werner was instrumental in shutting down the Hilux/Kelihos botnet that was used for everything from spam, pump and dump stock scams and attacks on websites.

"They did some denial of service attacks with the botnet," said Mr Werner. "They attacked some politically active sites in Russia.

"It's hard for me to imagine they were politically active themselves so they probably got paid for that."

One big moneymaker is spam. About 88% of the billions of junk mail messages sent every day are piped through botnets. Spammers will pay to have that email sent and an insight into how much they will pay came when security researcher Brett Stone-Gross and colleagues managed to penetrate the Cutwail botnet.

The many millions of machines in Cutwail, aka Pushdo, spewed out vast amounts of spam. At its height it was estimated to be behind almost half of all global spam.

Their research showed that spammers were paying $100-$500 for every million messages sent. Alternatively, spammers could pay a lump sum of $10,000 if they wanted to send millions of messages over a period of a month.

The return soon added up and the researchers estimated that Cutwail's controllers could have made up to $4.2m profit in a little over 12 months.

Increasingly, botnet controllers are using their compromised boxes to carry out novel types of crime that are unique to the net.

In this category, click fraud is a booming business. Many websites get paid when visitors click on the ads that firms such as Google, Yahoo and others use to populate their pages.

Mr Erasmus said many botnets now included code that sprang into life when the real owner of that PC ventured onto the web.

As they browse, this code injects fake clicks on ads into the datastream to hide what is going on. The fake clicks make it look like certain ads are really popular and the owner of that site gets paid for the traffic they are supposedly piping to them.

"If it's active when the user is browsing it's pretty hard to detect," he said.

In recent months Google has moved to block access to certain sites known to be involved in this type of fraud. It can also be used to "poison" the index of results Google serves up to particular queries. This makes booby-trapped webpages rise to the top of the listings and means lots more people fall victim.

In November 2011 the FBI mounted raids in Estonia to snap up members of a gang that were practising a very sophisticated version of this sort of click fraud.

The gang had set up front companies running their own websites to make the fraud look less criminal. About four million computers around the world were enrolled in the botnet behind the scheme and it proved hugely lucrative.

The FBI estimates that the gang behind this botnet scam raked in more than $14m before they were caught.

The BBC would like to extend its thanks to Prof Michel Van Eeten, Prof Johannes Bauer, Hadi Asghari and Shirin Tabatabaie for providing the data for this project.