How much is your computer worth? I thought I would take a moment and hypothesize on this subject. But I'm not going to talk about hardware and software costs. These are easily quantifiable through the magic of price tags and receipts.
No, instead I think we should look at how much your computer is worth to someone else. This is a specific type of person who targets millions of computer users through any of numerous schemes. This is the attacker, the adversary, the miscreant, or criminal. It is the person who silently takes control of your computer through vulnerability exploitation, social engineering, or open holes from previous break-ins.
A bit of background. I hope I am not stating anything new, but it is a necessary precursor to the rest of the discussion. I won’t get into infection vectors, length definitions, etc. Rather, this will be succinct. Everybody probably knows what an Internet worm is, and probably knows roughly what a backdoor is. Many have at least heard of BotNet malware, but if not, think of it as a combination worm and backdoor for now (worm because it has the ability to propagate to other systems, and backdoor because it allows remote control of an infected computer). What you typically hear about BotNets (a collection of BotNet malware-infected computers, one or more control servers, and one or more controlling entities) is how they are used to launch Distributed Denial of Service (DDoS) attacks. What you may not, but should have, heard is that they are used for much more.
In this post, I’m going to focus on profit motives behind BotNet malware. Keep in mind that when you have malware on your computer, the malware could not only use your computer for anything its author programmed it for, but also watch everything that you do on your computer. For BotNet malware, many capabilities are “stock” and are available in source code floating around the Internet. But BotNet malware also has the generic ability to tell you computer to download new malware or other software with completely different functionality from arbitrary locations. This leads to many different money making opportunities, but I’ll discuss some of the leading mechanisms:
There is a lot of data in each of these areas that supports how BotNets are commonly used for all of them. At a later point, I may discuss some in more detail, but for now, I want to get back to the point of this post—how much is your computer worth? Being no statistician, I won’t say this is scientifically accurate (indeed, there are quite a few holes in the suppositions below), but I think it is interesting.
So, we’ll describe what sort of profit may be had by a combination of these activities in terms of profit by the miscreant:
Ignoring Internet dialers, that gives us an average aggregate worth of one infected computer of $1.17 per month. Granted, if you are a victim of an Internet dialer, or one of the chosen few who actually have your account data stolen and used, then your computer is worth much more. But we’re talking averages.
So $1.17 doesn’t sound like much per month. But, many BotNets number in the thousands. A modest number of 1000 infected systems gives you $1170 per month. And 10,000 infected systems puts you solidly into the upper middle class income range. If you go with estimates of 2-5 million computers infected with BotNet malware, that is a worth of between $2.34 and $5.85 million per month, ignoring successful extortion attempts, the cost of bandwidth, pc repair, Trojan dialers, etc.
Now, instead try the other guess of $19.43 per computer per month in profit from identity theft, and go with the low end of 2 million computers infected. That means there is potential for $466 million in profits by the miscreant per year from identity theft due to BotNets alone. Over a 5-year period, that is $2.3 billion. The FTC study reported total loss figures of $48 billion over 5 years for businesses and $5 billion for consumers, or $53 billion total. Could BotNets account for 4.3% of that figure? I wouldn’t be surprised if it is more…
This posting is provided "AS IS" with no warranties, and confers no rights.