Renting A Canadian Bot for Less than the Price of Dinner for Two
A botnet is a network of computers infected with malware that allows a malicious actor – the botmaster – to control them remotely. The infected computers – the bots – communicate with a command and control server (C&C) to receive their orders. The use cases for bots are too numerous to list here, but commonly include:
- Confidential and financial data theft
- Credential theft
- Sending of spam
- The botnet’s spread to other machines, either on the local network, or the internet
Few botmasters have the time, expertise and resources to monetize the information and services coming out of their botnets. To grow a botnet to tens, if not hundreds of thousands of bots requires serious dedication. It therefore makes much more sense for botmasters to concentrate on growing their botnets, and to rent out their bots to malicious actors in need of their information and resources. This has led to the creation of surprisingly large markets where bots can be rented, and their information and credentials stolen and abused.
A Constrained Supply of Canadian Bots
We have been monitoring such a market for a number of months now, and have developed a good understanding of how such markets operate.
Our first finding is that the daily supply of new Canadian bots on this major market appears to be very low, ranging in the double, if not single, digits per day. This suggests that market vendors are unable to infect many bots in Canada – some good news! – or that they keep the infected bots for themselves. The graph below shows the number of new bots put up for sale on the market for a week in January.
Figure 1. Number of new Canadian bots posted for sale per day
Our second finding is that while there are many bots for sale in Canada, vendors display older bots along with the new ones to make it look like thousands are available for purchase. There are however only a limited subset of bots that can be considered fresh, meaning that they were recently infected and probably still under the botmaster’s control. The graph below presents the distribution of bots for sale based on the date of infection. Since our data collection covered the first weeks of January, only a few hundred bots were infected in 2021. Most of the bots were infected in 2018 and 2019, not in 2020 as we would have expected. These older bots represent a weak value for malicious actors as they are likely not to be under the control of botmasters anymore.
Figure 2. Bot distribution based on infection year
How Bots Are Priced
Vendors appear to base the price of Canadian bots on the date of their infection. When all data is considered, the overall median price of a Canadian bot is $9. However, bots that were recently updated fetch a median price of $35, while those updated in 2019 obtain a low median price of $5. The maximum price for a bot updated in 2021 is $350. These numbers suggest Canadian bots can be purchased for well under $100.
Figure 3. Price distribution of Canadian bots based on last update
Price distribution suggests that malicious actors can take a chance and pay a low price for a bot that has not been updated in years, with a likely lower payout. They can also turn to a more expensive bot that was recently infected for a higher price.
Supply and Demand for Canadian Bots
With a constrained supply of Canadian bots, and the potential high reward that comes from renting out a bot, we were surprised to find that the price of bots was in the tens of dollars on average. This places bots as a relatively cheap commodity that can be purchased by a wide array of malicious actors.
Our analysis shows just how much emphasis malicious actors put on the freshness of the bots they are looking for. Bots that were infected months ago lose much of their value. This suggests that botmasters must constantly expand their botnet, or risk seeing its value decrease rapidly over time. This also suggests that botmasters may put more energy in infecting new bots, rather than maintaining those that they already control. This decreases the odds that computers infected a long time ago will be scrutinized, and victimized as much as newly infected ones.
Finally, credentials appear to be a main driver of high prices. Bots enable account takeover, an all too common and damaging incident. Bots may steal usernames and passwords, but are less likely to have access to a second factor authentication such as SMS or an Authenticator application. This is a strong reminder of the value of enabling multi factor authentication on services, especially when it comes to sensitive accounts such as emails and corporate accounts.