Buying botnets: Underground network marks ominous 'milestone'

The Golden Cash network provides powerful malware toolkits to its members and pays them a bounty for every PC they can compromise.

A trading platform designed to let cybercriminals buy and sell infected PCs has been uncovered by Web security company Finjan Inc. Finjan says the platform, also known as the Golden Cash network, is the most sophisticated and extensive such operation it has seen so far.

Security researchers develop browser-based darknet

Called Veiled, the darknet only requires participants to use an HTML 5-based browser to connect and share data anonymously.
The Golden Cash network operates by recruiting members around the world, providing them with powerful malware toolkits, and paying them a bounty for every PC they can compromise.

Having acquired the infected machines, the group then hires them out at a hefty markup to anyone who wants to use them or plant their own malware on them.

Its origins are still uncertain – though most evidence points to it being based in Russia – and the individuals behind it are unknown. What is certain is that it poses a major threat to all PCs, whether at home or in companies, in the public or private sector.

Full details are presented in Finjan's latest Cybercrime Intelligence Report. "The Golden Cash network is far more than an average affiliation network operated by cybercriminals," it says. "Our research showed that there is something really major behind this one – an entire trading platform of malware infected PCs. It also provides an exploit toolkit with obfuscated code and an attack toolkit to distribute malware."

How Golden Cash works

1. Victim visits a legitimate but compromised website.  

2. The compromised website contains a malicious IFrame, causing the victim's browser to pull exploit code from the attacker website that is armed with the exploit toolkit.  

3. Upon successful exploitation, a special version of a Trojan, which was especially created for the attacker, is pulled from the Golden Cash server.  

4. Once installed, the Trojan reports back to the Golden Cash server, and the attacker's account at Golden Cash is credited with payment for the job done.  

5. The first instruction sent by Golden Cash to the victim's machine, is to install an FTP grabber to steal FTP credentials. The victim's machine is now in a pool of infected machines controlled by Golden Cash.   

6. The infected machines are offered to other cybercriminals using a dedicated website.  Selling price depends on the location of the infected machines.  

7. After purchase, the victim's machine gets instructions from the buyer to install additional malware on his/her behalf.  

8. The Trojan on the victim's machine reports back to Golden Cash on successful installation of the buyer's malware.  

9. The buyer's account is charged by Golden Cash for the service rendered. The victim's machine goes back in the 'available for more infections' pool for more purchases.
Those running the site act both as buyer and seller of compromised PCs. They will buy malware-infected machines from anyone anywhere in the market, and according to their published price list, will pay $100 per 1,000 infections in Australia but only $5 for a batch of 1,000 infections in other countries, mainly in the Far East. British bots are worth $60 per 1000.

When it comes to selling, prices are considerably higher. Infected Australian PCs go at $500 per 1000, while their British counterparts cost $250. If you want something cheaper, then pay $120 per 1000 U.S. machines, or just $20 for a batch of 1000 Japanese machines.

Golden Cash provides its customers with all the tools they need to go out and infect computers, plus a simple means of getting paid for their efforts. The attack begins with an injection of IFrames into a legitimate website, which redirects users to a malicious website containing an exploit toolkit that infects other visitors.

One such toolkit detailed in the report makes use of obfuscated code, which is designed to get past traditional anti-malware defences and exploit an unpatched vulnerability.

Some of the malware discovered was also designed to collect FTP credentials of legitimate websites from infected PCs. 'These credentials are later being used to enable its partners to insert their IFrames with malicious code into the websites' pages. This creates a highly profitable loop," Finjan's research concludes.

The report adds that researchers found stolen FTP-credentials for around 100,000 Internet domains, including corporate domains from all parts of the world.

Ophir Shalitin, Finjan's marketing manager, described the discovery of Golden Cash as a "milestone, because it automates the cybercrime process. It really lowers the barrier for new cybercriminals. It makes it easy for them. It is a one-stop shop."

Howard Schmidt, president of the Information Security Forum, a user group representing more than 300 large corporations, said the development was symptomatic of a general arms race between the criminal and the security industry.

He said technology alone would never be able to prevent users from acting irresponsibly and getting infected, but it can help. "There will always be people who will say 'Continue' because they want to go ahead despite any warning," he said. "But look at how phishing emails have developed. You have to work really hard to be a victim of a phishing email these days, because of filters that have been built into browsers and email systems. We need to do the same kind of thing at the Web server to prevent infection, although that is a lot more difficult."

Read more on Hackers and cybercrime prevention