Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Tuesday, November 11, 2008

Storm botnet brought in daily profits of up to $9,500


The investigation of spam and the malware payloads that accompany it is
a major focus of companies and organizations, from the federal
government down to the small-business part-time IT director. Most of
this work, however, is devoted to detecting and filtering spam
(infected or otherwise), as well as to predicting what delivery vectors
the industry might favor in the future. Actual data on the spam
industry's economic model is much harder to come by—at least it used to
be. Earlier this year, a group of researchers led by University of
California-San Diego computer scientist Stefan Savage conducted
research on the market fundamentals of the spam industry, from within
the industry itself.

In order to conduct their research, Savage's team took partial control
of part of the Storm Worm's massive botnet. A certain subset of the
botnet's traffic was then rerouted, and delivered interested potential
buyers to a web site under white hat control. Savage's websites
mimicked those set up by the creators of Storm, but were specifically
designed to return error messages if a visitor attempted to transmit
any sensitive information or conduct a transaction. The team discovered
three separate campaigns through the duration of their tests and
analyzed some 469 million e-mails. Full details on the investigation,
including a discussion of how the researchers infiltrated Storm and a
very specific breakdown of what they found, is available here (PDF).

A visual representation of Storm's structure. Savage's group infiltrated

the C&C channel between proxy servers and workers

Savage and his team ultimately controlled 75,869 worker bots, with a
maximum of 539 bots connected to the group's proxy servers at any one
time. 78 percent of the bots only contacted the team's proxy servers
once. 14 percent on the bots connected twice, and seven percent of the
bots connected three to five times. Only one percent of the infected
machines communicated five times, which underlines just how quickly
individual systems are cleansed and taken off the network. One notable
exception was an academic network in North Carolina that connected 269
times, and turned out to be an access hub for 19 individuals, which
still works out to a bit over 14 connections per person.

If you've ever despaired of teaching your friends/family/coworkers not
to open or respond to spam, the researchers' findings might make your
day. After sending some 350 million e-mail messages over 26 days,
Savage and his team had "sold" just 28 "male enhancement" products for
just under $100 each. This works out to a conversion rate that's
described as "well under" 0.00001 percent. Total revenue for the period
would have been $2,731.88, a bit over $100 a day. That's chump change
by corporate standards, and it's why the spam industry relies on truly
massive campaigns the way it does. By the scientists' estimates, they
controlled just 1.5 percent of the total Storm network. Extrapolate
their earnings against Storm's actual size, and the botnet may have
been raking in as much as $7,000 a day ($9,500 if we only count the
days Storm was actively conducting a campaign). For the curious, that
works out to some $3.5 million in revenue per year.

The researchers admit their work constitutes just one data point in
what they hope will be an ongoing investigation, but believe the
information they gathered is generally representative of botnet profit
margins. If it is, it suggests that spammers may be extremely sensitive
to costs—more so than was previously believed. Even a small increase in
the cost of sending an e-mail, they postulate, could have significant
ramifications for the botnet industry, and might slow the rate at which
it grows or put some spam operations out of business altogether.

informe de la investigación
Una red de bots daba una ganancia diaria de hasta 9.500 US$

Una botnet realiza su trabajo
en dos etapas. Apelando a una enorme base de correos, envía gusanos que
convierten a la máquina que los abre en un disimulado servidor smtp
bajo las órdenes de la red Storm Worm.
Estos zombies (ordenadores cuyo uso pasa desapercibido por los dueños que sólo notan que su
PC "anda lento"
) ofician de nodos de envío de spam ofreciendo productos: mejoradores de la virilidad, quemadores de grasa,
analgésicos de nueva generación. El ciclo se completa cuando algunos pocos
incautos compran esos productos.

El equipo de Savage logró hackear un proxy intermedio, de tal manera
que los correos que se enviaban producto de las tres "campañas" que
monitorearon eran adulterados y dirigían a los potenciales clientes a
un sitio propio en donde al intentar comprar los productos el cliente
llegaba a una página de error sin poder ingresar información
confidencial. Por supuesto que no se producía la compra pero el estudio marcaba
aquello como una venta exitosa.

La conclusión del estudio es reveladora. La tasa de eficiencia del
spam, si acaso se mantuviera la proporción, es de menos del 0.00001%,
lo cual es un pésimo resultado para cualquier empresa, excepto cuando los medios son PCs contaminados que funcionan gratis.

El equipo de Savage envió 350 millones de correos en 26 días y vendió
el equivalente a USD 2.800. Si pensamos que sólo controlaron el 1.5% de
la capacidad de la Storm Worm, podemos pensar que en un mes se envían
casi 27.000 millones de correos para obtener unos USD 215.000.

No comments: