From Botnet to Malnet
First Published: X-Force Monthly Magazine

Throughout 2006 X-Force observed an exponential increase in attackers seeking to compromise a victim’s desktop through vulnerabilities in Web browsers or Spam-based payloads. Most commonly the attackers sought to install malware armed with ‘best-of-breed’ rootkit functionality, command-and-control channels, auto-updating and spyware technologies – basically, digital Swiss-army knives.

These distributed malware networks (let’s refer to them as ‘malnets’ instead of ‘botnets’ because they are much more sophisticated than the dated ‘botnet’ term implies) have been used for identity theft, conducting coordinated denial-of-service (DoS) attacks and as e-mail relays for Spam distribution. But now attackers have become more conscious of the revenue-generating opportunities available to them via the thousands of computers they control.  Looking ahead in 2007, we can expect the owners of these ‘malnets’ to shift their business operations into less noisy ventures – ones more likely to provide longer-term (perhaps even semi-legitimate) revenue opportunities.

The problems facing the attackers who own an existing malnet is that DoS and Spam are extremely noisy activities and will always draw attention to the infected hosts. Consequently, the probability of discovery and shutdown are high – thereby requiring the attackers to constantly “replenish” their networks by infecting more hosts (which is something that will require more effort in the future as desktop security features continue to advance). The same logic applies to attackers who use their malnet networks to harvest bank account details from the host owners. Transferring money from the victims’ accounts will not only quickly result in the loss of control of the infected host, but also carries high criminal prosecution risks.

In the near future, our expectation is that these malnet owners will seek to lower their visible profile and retain their compromised hosts for as long as possible.

The Bot-net Cash Cow

So, how can the malnet owner cash in on his/her infection success and retain a network of infected hosts?  The answer is simple – personal profiling – which legitimate companies have been doing for a long time.

At its most basic level, knowing the name and full postal address of a person is worth cash to the right organization. Combining this information with details such as the person’s age and sex is worth a few more dollars to just about every retail organization in the world. The more information about the person – how much money does he make, how much disposable income does he have each week, what are his favorite shops, etc. – the higher the cash value of the personal profile.

Legitimate organizations do this all the time.  Supermarket loyalty cards are a classic example.  Knowing who you are, how much you spend and how you spend it are extremely valuable to the supermarket chains. It helps them “tune” offerings to specific customers or groups of customers and increase sales margins. Organizations such as DoubleClick ( have made successful Internet businesses out of profiling Internet users (using technologies such as banner advertising, cookie tracking and Web-bugs) and selling that information to corporate clientele.

Now visualize a malnet owner and the potential revenue opportunities available to him.  He can monitor precisely how much money the victim has in his bank accounts, knows which loyalty cards the victim has by parsing incoming e-mail, knows exactly which Web sites the victim visits and how long he spends on each one, knows where the victim posts his holiday photos and what toys he’s purchased on Amazon for his daughter’s birthday.

How much do you think a car salesman would pay to the malnet owner for name and contact details of a “victim” that has $80,000 sitting in his savings account and in the last three days has visited 20 Web sites selling cars, spending 50 percent of his viewing time looking up BMW Z4’s? A few hundred dollars perhaps? Maybe more if the network owner says he will only charge the car salesman on a completed sale – after all, he’ll know when the money leaves the bank account and where it went.

The same potential exists within a compromised corporate network. While the computers may be company assets for conducting work, most people also use them for private activities and it is quite probable that corporate networks could yield similar monetary returns on personal profiling for the malnet owner. Additional opportunities also exist.  Surreptitiously copying confidential documents and selling them to the highest bidder – perhaps to one of the applicants in a competitive bid – is certainly possible. Perhaps even selling subsets of information to recruiters – the name and contact details of the person who writes the most lines of C# code per week within the organization.

The advantages to the malnet owner using this revenue generation model are many, but key among them is the fact that the “passively” obtained information can be sold many times, to different organizations, without actually raising attention to the compromised host.

Cashing in on Virtual Economies

Moving beyond personal profiling, the malnet owner is also capable of branching out into the new lawless economies such as those associated with online gaming – in particular massively multiplayer online games (MMOG).

A series of papers posted by Indiana University examining virtual economies estimates the value of game-based assets to lie between $200 million and $1 billion, while IGE (an organization that specializes in buying and selling game-based virtual currency and assets) estimates trade of these virtual assets could become a real-world economy of around $2.7 billion in 2006 and reaching $7 billion by 2009.

Well-known real-world organizations are now in the process of developing virtual representations of their businesses and are “setting up shop” within the various MMOGs. One recent and notable addition, the international Dutch banking entity ABN AMRO has set up a virtual bank within ‘Second Life’ to provide financial advice and would obviously like to become a future financial bridge between the two economies.

At the present time ‘Second Life’ virtual currency (called “Linden dollars”) can be exchanged for U.S. dollars, essentially turning it into a real currency, with more than $600,000 being spent in a single day.  Several third-party currency exchanges already exist to convert the plethora of in-game money types into real money, with live exchanges and fluctuating rates.

To understand how these virtual economies become real-world economies, it is perhaps best to take a closer look at two of the largest and most talked about MMOGs – Second Life and World of Warcraft.

Second Life:

Since January 2005, Second Life’s population has grown from 100,000 residents to a little over 1.7 million, and is expected to reach 40 million within the next two years. In this MMOG, these players (or ‘residents’ using the games terminology) can create virtual goods within the game (including the buying and selling of ‘land’) and are allowed to retain the IP rights to their creations – thereby being able to sell them at various in-world venues.

This virtual economy has already seen its first real-world millionaire. Anshe Chung turned her initial investment of $9.95 per month into more than $1 million from profits earned entirely inside a virtual world. Her character recently appeared on the front cover of Business Week magazine.

World of Warcraft:

This number-one leading fantasy-based subscription MMOG currently consists of more than 7.5 million players worldwide. World of Warcraft allows them to battle each other online or conduct team-based missions and scenarios in order to advance their characters.

As with many MMOGs that focus on character advancement, high level characters and powerful weapons are frequently traded amongst players.  Top ranked players with unique weapons or armor are seen as being valuable and can be purchased at sites like eBay for values of $1,000 or more.

Malbot Revenue from MMOGs

The opportunities for financial gain by the malbot owner, while limited, are interesting because of the way government legal systems currently handle virtual assets. In essence, these virtual assets have no real-world value and typically any value or ‘ownership’ is at the discretion of the MMOG developers and owners. This means that there is no legal discourse for settling disputes.

Consequently, if the malnet owner steals a player’s character and sells it to another player, the victim cannot seek legal recompense; similarly to if the attacker sells the player’s businesses and assets within the game or through real-world brokerages. Malnet owners may see this as a ‘safe’ way of generating revenue. With tens of millions of online players already out there and an anticipated exponential growth in new members, the potential for developing a profitable business is very high.

Hopefully, governments will update their legal systems to handle virtual world assets. Both the U.S. and Australian governments are currently evaluating and extending laws that would allow them to tax virtual and real-world asset trades.

At the moment, policing of the virtual worlds is handled by the development company behind the game. For example, Second Life provides punishments for everything from lewd behavior to hacking with tactics such as suspension, banishment and “the cornfield” in which players drive a virtual tractor and must watch an educational video.

However, it is often as difficult to police virtual crimes as they are in the real world. For instance, ‘prostitution’ has made it’s way into several MMOGs - ‘prostitution’ and escort agencies within Second Life apparently charge between $30-50 per hour (in case you’re wondering “how?” – the ‘prostitution’ is more akin to phone sex, while escort agencies provide ‘companionship’ to virtual parties and shows).  

Without doubt laws will be developed for virtual world environments.  How these will be enforced will be a big question.  With the obvious affect on corporate security policies and the intricacies of policing employees within their work environment, virtual worlds will soon become a headache for enterprise security teams – if they are not already.

    Copyright 2001-2007 © Gunter Ollmann