How much is your computer worth?  I thought I would take a moment and hypothesize on this subject.  But I'm not going to talk about hardware and software costs.  These are easily quantifiable through the magic of price tags and receipts.

No, instead I think we should look at how much your computer is worth to someone else.  This is a specific type of person who targets millions of computer users through any of numerous schemes.  This is the attacker, the adversary, the miscreant, or criminal.  It is the person who silently takes control of your computer through vulnerability exploitation, social engineering, or open holes from previous break-ins.

A bit of background.  I hope I am not stating anything new, but it is a necessary precursor to the rest of the discussion.  I won’t get into infection vectors, length definitions, etc.  Rather, this will be succinct.  Everybody probably knows what an Internet worm is, and probably knows roughly what a backdoor is.  Many have at least heard of BotNet malware, but if not, think of it as a combination worm and backdoor for now (worm because it has the ability to propagate to other systems, and backdoor because it allows remote control of an infected computer).  What you typically hear about BotNets (a collection of BotNet malware-infected computers, one or more control servers, and one or more controlling entities) is how they are used to launch Distributed Denial of Service (DDoS) attacks.  What you may not, but should have, heard is that they are used for much more.

In this post, I’m going to focus on profit motives behind BotNet malware.  Keep in mind that when you have malware on your computer, the malware could not only use your computer for anything its author programmed it for, but also watch everything that you do on your computer.  For BotNet malware, many capabilities are “stock” and are available in source code floating around the Internet.  But BotNet malware also has the generic ability to tell you computer to download new malware or other software with completely different functionality from arbitrary locations.  This leads to many different money making opportunities, but I’ll discuss some of the leading mechanisms:

  • Account theft, including banking, credit cards, and other financial data.  Many versions of BotNet malware have the ability to watch what you type on your keyboard.  Some correlate this with web sites you are visiting, and may only “sniff” typing when you go to banking or commerce web sites.  The malware will send this information to the controller, who can then either use it for identity theft, or sell it to someone else who will.
  • Installation of adware for profit via affiliate programs.  Do you run XPSP2 with the popup blocker?  Or use a third party popup blocker, but still get advertisements?  It may be due to adware.  Adware is software that will watch your browsing trends and pop up ads, or show them in toolbars and sidebars.  Because adware is a separate program than your internet browser, it is not affected by the popup blocker.  What’s more, someone who gets adware installed on your computer gets paid a reward through affiliate programs.
  • DDoS for hire.  DDoS attacks are done for many reasons, including politically or socially-driven reasons.  But they are also done in conjunction with extortion.  Common targets are entities that require high uptime, such as gambling sites or small commerce sites.  While a BotNet controller may not be directly involved in the extortion, they may offer contract DDoS services, that may ultimately link to extortion.
  • Spam relay proxies.  Many mail systems block “known” spam relay IP addresses at their gateway.  It is a sort of previous offender system, where a system known to send only spam is blacklisted so that the mail from the offender never consumes resources (storage, network, processing, etc.) on the target mail system.  Virgin, unblocked IP addresses to use as spam relays are those that are not on the blacklist, and are thus not subject to immediate blocking.  Such systems are very valuable to spammers and those who sell proxy services.
  • Installation of Internet dialers.  Many people still use dial-up connections.  And while such a connection isn’t so useful for DDoS attacks, it does have a unique opportunity for malicious profit.  An attacker who gets an Internet dialer installed on a computer has the ability to change the number and provider that you dial in to when you launch your web browser.  This allows them to change it to a toll number (such as a 900 number here in the states), through which they can ultimately profit (often via affiliate programs).

There is a lot of data in each of these areas that supports how BotNets are commonly used for all of them.  At a later point, I may discuss some in more detail, but for now, I want to get back to the point of this post—how much is your computer worth?  Being no statistician, I won’t say this is scientifically accurate (indeed, there are quite a few holes in the suppositions below), but I think it is interesting.

So, we’ll describe what sort of profit may be had by a combination of these activities in terms of profit by the miscreant:

  • Account theft:  $0.29 per month.  The FTC states that the average cost to businesses for an individual victim of identity theft is $4800 and the cost to the individual is $500 (http://www.ftc.gov/opa/2003/09/idtheft.htm).  I’ll assume this is an aggregate gain of $5300 on the part of the criminal, and I’ll distribute that over a one-year period.  That gives us $441.67 per month.  According to a survey by the Pew Internet and American Life Project, 44% of Internet users bank online (http://www.msnbc.msn.com/id/6936297/).  We’ll just assume that this group is the same as those who shop online for simplicity.  In the FTC study, 27.3 Million Americans were victims of identity theft during the 5 years it ran.  That means 5.46 Million on average per year, or 455,000 per month.  That means about 0.15% of the US population are victims of identity theft per month.  To be conservative, lets say that to be a victim of online identity theft, you have to: 1) be infected with malware that steals account details, like many BotNet malwares can, so we’ll assume 100%, 2) bank online (44% of Internet users), and 3) have your information used by someone (0.15% per month).  Apply that to the average loss per instance above, and you get $0.29 per month.  Realistically, this number is probably significantly lower than the actual value.  That 0.15% per month is for all Americans.  The chances of your personal data being used if you shop or bank online and are infected with BotNet malware that steals data as you type is probably around two orders of magnitude greater, because the 0.15% figures in the probability of your data being stolen.  In our example, it’s already been stolen.  The probability here is simply whether or not it will be used.  For a more realistic number I would guess 10% of stolen information is actually used, meaning that the number is probably more like $441.67 times 0.44 times 0.1, or $19.43 per month.
  • Adware installation:  $0.67 per month.  Affiliate programs, in short, allow adware companies to write software and rely on others for distribution.  Affiliates are often paid on a per-install basis ($.20 per installation on a US-based computer is common).  As an example, a BotNet controller made approximately $20,000 in 3 months from a 10,000-strong BotNet through repeatedly surreptitiously installing one brand of adware.  We’ll go with that example, although by installing multiple adware brands, it is likely possible to make more money.
  • DDoS for hire:  $0.01 per month.  There is an example of a BotNet controller who made $100 per month using a 10,000-strong BotNet for DDoS.  In one particular month, 6 unique IPs were targeted.  I don’t know that this is typical or not, but it is an example I am aware of.  Note that if the controller is involved in the extortion end and is successful, the worth increases.  For example, it is not uncommon to demand $10,000 for DDoS protection (http://www.msnbc.msn.com/id/6436834/).
  • Spam relay proxies:  $0.20 per month.  You can find, using various web searches, offers for proxies that average out to about $0.05 per relay per week.  So, for monthly profit assuming a BotNet controller has installed spam proxies on the infected clients, we’ll assume $0.20 per month.
  • Installation of Internet dialers:  Varies.  According to this study from Stanford (http://www.stanford.edu/group/siqss/SIQSS_Time_Study_04.pdf), it seems the average time spent online for an Internet user is 3 hours per day.  Let’s be conservative and say the dialer uses a toll number at a rate of $0.10/minute.  That comes out to $18/day, or about $540 a month.  Further, we’ll assume that you figure out after the first phone bill that something is wrong, so you only get hit the first month, and don’t get hit the rest of the year.  Using that, to put it in terms of the other figures, that is still $45 per month.

Ignoring Internet dialers, that gives us an average aggregate worth of one infected computer of $1.17 per month.  Granted, if you are a victim of an Internet dialer, or one of the chosen few who actually have your account data stolen and used, then your computer is worth much more.  But we’re talking averages.

So $1.17 doesn’t sound like much per month.  But, many BotNets number in the thousands.  A modest number of 1000 infected systems gives you $1170 per month.  And 10,000 infected systems puts you solidly into the upper middle class income range.  If you go with estimates of 2-5 million computers infected with BotNet malware, that is a worth of between $2.34 and $5.85 million per month, ignoring successful extortion attempts, the cost of bandwidth, pc repair, Trojan dialers, etc.

Now, instead try the other guess of $19.43 per computer per month in profit from identity theft, and go with the low end of 2 million computers infected.  That means there is potential for $466 million in profits by the miscreant per year from identity theft due to BotNets alone.  Over a 5-year period, that is $2.3 billion.  The FTC study reported total loss figures of $48 billion over 5 years for businesses and $5 billion for consumers, or $53 billion total.  Could BotNets account for 4.3% of that figure?  I wouldn’t be surprised if it is more…

This posting is provided "AS IS" with no warranties, and confers no rights.