Network News

X My Profile
View More Activity

Web Fraud 2.0: Distributing Your Malware

The allure of cyber crime lies in its promise of quick riches, much like that of the illegal drug trade. But building a network of hacked personal computers that can distribute your data-stealing malicious software is a time-consuming process that requires a modicum of skill. That is, until recently, when several online services have emerged that promise to help would-be cyber crooks graduate from common street dealers to distributors overnight.

Capture8-22-2008-8.27.09 AM.jpg

Such is the aim of services like "," which for a small fee will take whatever malware you provide and inject it into a pre-selected number of PCs already compromised and under the thumb of the service owners.


Currently, claims to have 264,552 hacked systems in more than a dozen countries that it can use as hosts for any malicious software that clients want to install. The latest details from the "statistics" page displayed for members says the service has gained some 1,679 new infectable nodes in the last two hours, and more than 33,000 over the past 24 hours.

So, let's say I'm a wannabe cyber crime guy, and I download or purchase some malware from any number of forums that host these things or configure them to your liking. I then mosey on over to loads, and check out their distribution price lists. For $100, I can have my malware loaded onto 1,000 PCs around the globe for roughly $100, or 10 cents per compromised machine. I merely tell the site the location of the URL where my malware is hosted, pay for the service with Webmoney, and sit back and wait for my soon-to-be-infected machines to start sending me their passwords and other sensitive data.


Interestingly, seemed to have either angered an established cyber criminal or tread upon space already occupied by another organized crime outfit earlier this year, because the site came under a fairly heavy and sustained distributed denial-of-service attack (DDoS) aimed at knocking the service offline. The site operators responded by creating a new domain for their service with "ddos" in its URL.


Other up-and-coming malware distribution services are trying to gain a foothold in this nascent criminal Web 2.0 industry. offers slightly more competitive rates, promising to stitch your malware into 10,000 hacked PCs in the U.S. for just $120. And they claim to accept PayPal, which might appeal to newbie cyber thieves who are unfamiliar with the ways of Webmoney and other more Euro-centric virtual currencies.

If a know-nothing cyber crook can pay $120 and infect 10,000 already-hacked PCs in the United States, what does that say about the sheer number of systems under control of the bad guys? To me, it says that compromised machines or "bots" as they are more commonly known, have become a commodity, or - to cite Wikipedia's definition -
"undifferentiated goods characterized by a low profit margin."

I hope this is obvious, but it's probably best to avoid visiting the sites named in this post, as they exist solely to orchestrate the infection of computer systems.

If you'd like to discuss any part of this Web Fraud 2.0 series, or have any other computer-security related question on your mind, join us at 11 a.m. ET today for our Security Fix Live discussion.

By Brian Krebs  |  August 22, 2008; 10:19 AM ET
Categories:  Fraud , From the Bunker , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Opera Update Plugs Multiple Security Holes
Next: Web Fraud 2.0: Thwarting Anti-Spam Defenses


Thanks, Brian, for your investigative work. Some of us are so busy scraping this filth off of computers that we don't really know all of what's goin' on at the other end...

This fella's blog has been keeping me up at night tho:

The Tramp

Posted by: PhantomTramp | August 22, 2008 4:15 PM | Report abuse

That RBN blog is an interesting read. His investigation into the Russian cyber attack differs from that of Shadow Servers, who believe it was more of a privately run operation.

Hard to believe that it was a private organized gang, or random Russian hackers purusing a similar goal. The level of coordination, and the launch of the cyber attack a day before the alleged "response" to Georgian actions, is troubling.

One question that does remain: if RBN Networks were used in the cyber attacks against Georgia and Estonia, what degree of involvement did the Russian government or the FSB have in the attacks?

Posted by: PJ | August 22, 2008 6:32 PM | Report abuse

Brian, your blog is friggin' awesome. Thanks for posting.

Posted by: sdlfkj | August 23, 2008 3:40 AM | Report abuse

Why haven't the security organizations utilized these malware distribution mechanisms to inject anti-malware or malware-cleanup programs into the networks?

That would be amount to the good guys using the delivery mechanisms of the bad guys to either identify the infected PC or stealthily clean them up.

It might turn the game around and the bad guys ose the advantage.

Posted by: Jethro | August 23, 2008 8:14 AM | Report abuse

Love the malware link above mine in the comment! Poker Bonus indeed!

Posted by: Brian | August 25, 2008 6:19 PM | Report abuse

Fantastic work!

Posted by: madxc | August 25, 2008 11:12 PM | Report abuse

What I'd really like to see are statistics on how badly the major OSs are affected, ie Windows vs OSX vs Linux, adjusted for the installed base sizes, of course.

Having a number of friends now who have been clobbered by someone taking over their machines, some hard numbers relating to the vulnerability of the major OSs would be invaluable. All of the people I know who have had that happen to them run Windows, but that is hardly a valid statistical sampling.

Jeff B at Home

Posted by: Jeff B at Home | August 26, 2008 11:32 AM | Report abuse

My passwords have been changed twice and my understanding is that the bots got in from Windows and tunnelled their way through Parallels into OSX. The bot or scumbag then expropriated my files and all my mail by setting my security lock to "Open" every time I rebooted.

The real challenge is that there is no one taking this seriously for the single and financially challenged operator who relies on their computer to create a business online. What is happening is a crime yet there is no where to report it as far as I am aware and even more important, nobody who can fix the infection that AntiSpyware doesn't touch.

There is a gap in the market here!

Hacked off.

Malcolm Patten

Posted by: Malcolm Patten | August 27, 2008 1:51 AM | Report abuse

"Why haven't the security organizations utilized these malware distribution mechanisms to inject anti-malware or malware-cleanup programs into the networks?"

Oddly enough, that doesn't happen due to legal reasons. While the purveyors of malware don't care about breaking the law, most of the "good guys" that come up with a solution like yours are hesitant to take action, since compromising a PC and installing anti-malware software is illegal as well.

I'd love to cleanup 100,000 infected PCs and help reduce the cases of identity theft and spam emails, but I'm not going to open myself to criminal charges and civil litigation to do so.

Posted by: Clark | August 27, 2008 12:45 PM | Report abuse

@ Clark

I'm with ya, Clark. If we start layin' down w/ the dogs, we'll wake up w/ the fleas. Just like the lame duck.. uh.. never mind.

The Tramp

Posted by: PhantomTramp | August 27, 2008 5:00 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company