Be the first to like this
If you want to buy a botnet, it'll cost you somewhere in the region of $700 (£433). If you just want to hire someone else's for an hour, though, it can cost as little as $2 (£1.20) -- that's long enough to take down, say, a call centre, if that's what you were in the mood for. Maybe you'd like to spy on an ex -- for $350 (£217) you can purchase a trojan that lets you see all their incoming and outgoing texts. Or maybe you're just in the market for some good, old-fashioned spamming -- it'll only cost you $10 (£6.19) for a million emails. That's the hourly minimum wage in the UK.
This is the current state of Russia's underground market in cybercrime -- a vibrant community of ne'er-do-wells offering every conceivable kind of method for compromising computer security. It's been profiled in security firm Trend Micro's report, Russian Underground 101, and its findings are as fascinating as they are alarming. It's an insight into the workings of an entirely hidden economy, but also one that's pretty scary. Some of these things are really, really cheap.
Rik Ferguson, Trend Micro's director of security research and communications, explains to Wired.co.uk that Russia's cybercrime market is "very much a well-established market". He says: "It's very mature. It's been in place for quite some time. There are people offering niche services, and every niche is catered for." Russia is one of the major centres of cybercrime, alongside other nations like China and Brazil ("the spiritual home of banking malware").
Russian Underground 101 details the range of products on offer in this established market -- Ferguson says that they can be for targeting anyone "from consumers to small businesses". He points to ZeuS, a hugely popular trojan that's been around for at least six years. It creates botnets that remotely store personal information gleaned from users' machines, and has been discovered within the networks of large organisations like Bank of America, Nasa and Amazon. In 2011, the source code for ZeuS was released into the wild -- now, Ferguson says, "it's become a criminal open source project". Versions of ZeuS go for between $200 (£124) to $500 (£309).
Cybercriminal techniques go in and out of fashion like everything else -- in that sense, ZeuS is a bit unusual in its longevity. That's in large part because viruses and trojans can be adapted to take advantage of things in the news to make their fake error messages or spam emails seem more legitimate. For example, fake sites, and fake ads for antivirus software, aren't as popular as they once were because people are just more computer literate these days. Exploits which take advantage of gaps in browser security to install code hidden in the background of a webpage have also become less common as those holes are patched up -- but programs which embed within web browsers still pose a threat, as the recent hullabaloo over a weakness in Java demonstrates.