'Golden Cash' botnet-leasing network uncovered

Home page of the Golden Cash network.

(Credit: Finjan)

Researchers at security firm Finjan said on Wednesday that they have uncovered an underground botnet-leasing network where cyber criminals can pay $5 to $100 to install malware on 1,000 PCs for things like stealing data and sending spam.

The Golden Cash network, dubbed "Your money-making machine" on its home page, sells access to botnets comprised of thousands of compromised PCs to cyber criminals for custom malware spreading jobs, according to issue 2 of the Cybercrime Intelligence Report for 2009.

Here's how it works: a cyber criminal creates a botnet by hiding malicious code in a legitimate Web site that is used to turn Web surfing PCs into zombies. The code, typically an iFrame, points the PCs to a separate Web site where they are then infected with a Trojan backdoor that reports back to the Golden Cash command and control server.

In order to increase the number of botnets, the Golden Cash server installs an FTP (file transfer protocol) grabber on new zombies to steal credentials used by the computers to run Web sites, giving the server control over additional legitimate Web sites. Approximately 100,000 domains, including corporate domains from around the world, were identified among the stolen FTP credentials under Golden Cash's control, according to the report.

Customers pay for the ability to install different types of malware on the Golden Cash bots, which are recycled for new jobs and new customers afterward. Prices are higher for compromised PCs in western countries, the report said.

"This advanced trading platform marks a new milestone in the cybercrime evolution," Finjan said in a statement.

More technical analysis is available on Finjan's Malicious Code Research Center blog, including the fact that the command and control server is hosted in Texas, the registrant country is China and the "proxy" Web site that tunnels traffic to the command and control server is hosted in Krasnodar, Russia.

[Groucho6]

Once again, the answer, as always, is BUY A MAC

[Perry_Clease]

No, and I am a MacFanMan, the answers are aggressive law enforcement, and educating the users who do not keep their OS secured.

[santuccie]

I agree with Perry_Clease. And besides, with XP being retired from store shelves and confined to netbooks, downgrades, and ultra-low-cost systems, OS X is the most vulnerable OS remaining on the market. Now we have iBotnet, as well as two new Mac Trojans that came out just last week. That's not a huge deal, but it gets much worse. Outside of the three undisclosed demonstrations at CanSecWest, we now have a publicly available PoC drive-by download for the Mac. This could be all the Chinese and Russians need to figure out how to engineer their own Mac attacks to circumvent the authentication mechanism. And when that happens, all hell breaks loose.

Most Macs have no manner of security at all, beyond the authentication mechanism itself. Once it's breached, 90% or more of the planet's entire Mac install base could be under criminals' control within a week. And even then, it could be years before half of Apple's user base is reconditioned to let go of the age-old "invincibility" meme, take their units in for disinfection, and install antivirus or a sandbox to prevent future infection. Even amongst Windows users, few are aware that AV scanners cannot usually see a rootkit, and that modern malware are much more conservative with system resources in order to avoid manifesting themselves.

I'm NOT a Mac user, but I hope Snow Leopard introduces functional implementations of DEP and ASLR like Vista has. If it doesn't, and if Windows 7 proves to be an XP killer as prophesied, cybercriminals will eventually focus their full attention on the Mac. That means more ID thefts, more logins stolen, more bank accounts cleaned out, and more mailing lists harvested. And even then, trying to stop the "Macs don't get viruses" meme is like trying to stop a freight train. Whenever an article about Mac attacks shows up on the Web now, zealots come belching out the woodwork, crying, "MS SHILL, MS SHILL!!!" It will be no different when it comes on TV. Heck, even Fuller's PoC drive-by was scoffed at. You can't silence religion.

[Seaspray0]

@groucho6. Times have changed.

http://news.cnet.com/8301-1009_3-10154662-83.html

The Macintosh and base Linux kernel operating systems have dominated the top spots for vulnerabilities by operating system over the past three years

[Seaspray0]

@Groucho6. Times have changed.

http://news.cnet.com/8301-1009_3-10154662-83.html

The Macintosh and base Linux kernel operating systems have dominated the top spots for vulnerabilities by operating system over the past three years

[ITcomposer]

The answer is educating users, by holding PC WORKSHOPS to all the non techies so they know how to secure their machines, ive seen in the field machines that are at least 2 years out of dates on patches

IE: Windows xp running SP1, Vista running RTM code (Vista rtm = 2007) yikes!

if big box electronics like best buy did this i bet u the number of spam bots would be a lot less.

Its time pc stores take a cue off apples page.

BTW: I dont own a single MAC Pc

[Nev]

China and Russia obviously present difficulties to the few authorities willing or able to act .. but what on earth is preventing the hosting in Texas from being stopped ?

[Seaspray0]

Hey! I live in Texas! This is embarrasing, but I do have some good news. The courts here have no problems with the death penalty.

[DawnCampbell]

I would like to string these people up by the you know what-maybe Texas can amend the rules to use death penalty on these people.

[witchhaven]

It's very sad that the laws in this area, both locally and internationally, are so frail and toothless. What we need are MANDATORY jail sentences for EVERYONE involved in any "bot-net" offense - it is just too much of a drain on the resources of companies trying to do business at a normal pace, getting "taken down" by botnet ddos attacks.

Creating bot-nets should be illegal (in ALL countries) - except for legitimate security and computing research (which still opens potential HUGE loop-holes. Below are legitimate uses:

The "SETI screen-saver collaborative computing model" (where each person downloads a screen-saver that searches a portion of data retrieved from radio and/or optical telescopy of the galaxy, in a distributed, semi-collaborative search for signs of extraterrestrial intelligence) - that model is rather somewhat like an "opt-in passive bot-net," with the computers reporting their search results back to "SETI Central."

"Condor" - a model we piloted at Naval Research Lab is yet another valid "opt-in passive bot-net," where a Condor central control & collection server polls the various computers (servers & workstations) of a certain installation (such as NRL) for "spare/idle CPU cycles & memory." I believe this is what the SETI model may have been based on; and Condor may, in fact, have been the "mother of modern botnets."

The basic premise is that, an extremely large computation is needed (i.e. SETI search, Genome mapping, etc.) - so large, in fact, that not even 16 parallel mega-Crays could crunch the results in our lifetime. The proposed solution is to "slice up" the gargantuan dataset and/or the incredibly complex computation into smaller "chunks" that can be handled individually (this is akin to massively parallel processing on an exponentially larger scale - true "distributed, bot processing" if you will). The Condor central control server hands a segment of the extremely large dataset or the incredibly complex computation to the next "idle bot" in the list of "bots" that have reported as "available, with adequate resources, & waiting to accept data." Over time, the hundreds or thousands of "bot computers" report the completion of their portion of the processing. The resultant individual "bot" computations are sent back to the Condor central server (bot controller/collector) to be collated and re-combined into the resultant solution. By this premise and method, previously impossible problems now can be solved in a matter of days, weeks, months or years; problems that otherwise potentially would have taken several centuries.

Leasing botnet time also should be illegal.

Jeff Mason - http://www.brighthub.com/members/jeff.aspx
http://www.facebook.com/JeffMasonx