By Dancho Danchev
Thanks to the success of multiple botnet aggregating malicious campaigns launched in the wild, cybercriminals are launching malware-infected-hosts — also known as loads — as a service type of underground market propositions, in an attempt to monetize the botnet’s infected population by selling “partitioned” access to it.
How much does it cost to buy a thousand US-based malware infected hosts? What about hosts based in the European Union? Let’s find out. In this post, I’ll profile a newly launched underground service offering access to thousands of malware-infected hosts to virtually anyone who’s willing to pay the price.
Sample screenshot of the advertised underground service:
The price for a thousand US-based hosts is $200, the price for a thousand EU-based hosts varies between $60/$120, and the price for a thousand international mix type of hosts is $20. How are cybercriminals coming up with these pricing schemes in the first place? Pretty simple, as it all has to do with high purchasing power and long-term value of a malware-infected host.
Based on the pricing scheme used in this underground market proposition, the cybercriminals behind the service assume that a US-based user would have a higher online purchasing power, compared to an EU/Internationally based user, hence, the higher price. What’s also worth noting is that this isn’t the first time they’ve reached the same conclusion and naturally increased the price for US-based hosts. On the majority of occasions, every service offering access to malware-infected hosts would put the US on the top of its price list, of course, if we are to exclude novice market entrants who will do everything to undercut professional cybercriminals and purposely lower the price, or take advantage of price discrimination schemes.
A logical question emerges in the context of these services – what would a potential customer do with all of these malware-infected hosts? It entirely depends on the customer in question. For instance, novice cybercriminals looking for efficient ways to scale their malicious operations would buy access to these hosts and utilize them for launching related malicious and fraudulent campaigns.
Other cybercriminals, whose botnets’ infected population is no longer possessing clean IP reputation, and whose campaigns aren’t achieving the necessary results, would buy access to malware-infected hosts that are part of another botnet and use this “partitioned” access to further disseminate their very own malware variants. It’s not uncommon for the security industry to often come across these inter-connections between different malware families. And although they may sometimes be the result of a direct/known purchase of “partitioned” access, there’s always the probability that cybercriminal A would never known that cybercriminal B is spreading his malware variants through his service, due to lack of investment in time and resources to monitor the post-purchase behavior/activities of the customers.
We’ll continue monitoring the development of the service, and post updates as new features become available.