238
CHAPTER 17
Responding to cyber
crime and cyber terrorism
Pay-per-Use (PPU) to thousands of already compromised machines or provide ad-
ditional malwares to these computers already infected.
Spam bots can provide secondary information, for example, via stealing
malware, fake antivirus
software and Ransomware, to increase the flexibility of
the infected machines and to maximize the potential revenue of each infected
computer.
To give an idea of the economic impact of the botnets, the “F-Secure 2012 Threat
Report” revealed that the ZeroAccess threat reportedly clicks 140 million ads a day.
It has been estimated that the botnet is costing up to USD 900,000
of daily revenue
loss to legitimate online advertisers. Moreover, as we will see later, in one of the two
use cases, Eugrograbber earned 36
+
million euros.
The third level is obviously composed by Victims (owner of the infected ma-
chines) that, depending
on the type of attack, may be a generic Internet user (if the
number of the victims is the most important variable, e.g., in DDoS campaign) or
belonging to a particular category of people (if the quality of the information to be
subtracted is the most important variable).
Moreover, the users layer, is not necessarily monolithic, but can be further di-
vided into intermediate levels (e.g., organizations most
experienced in malware de-
velopment could be not equally in its distribution) and consists of various criminal
figures in a kind of partnership program where the higher level guarantees a mini-
mum number of “customers” to the lower one (see ZeroAccess Pay-per-Install—
PPI—business model).
The previous pyramid, as well as criminal business model,
is considered as a
measure of the real threat (the more the victim layer is wide the most of the threat is
disruptive).
The mentioned botnet monetization models (PPI and PPU) affect both the direc-
tion and the magnitude of the “criminal value flows.” Moreover, in the specific case
of
the PPU model, the entity of a flow is proportional to the dangerousness of the
threat.
In fact, while for a click-fraud-oriented botnet, money flows and their size are al-
most certain, for a general-purpose botnet, a criminal (User),
who wants to attack for
example a bank, might be willing to invest a larger amount of money to buy or rent
a botnet (by Designers) sufficiently wide and sufficiently skilled for bank account
exfiltration or DDOS campaigns.
So the botnet economic flows, in the two monetization models,
can be repre-
sented as in
Figure 17.4
(the thickness of the arrows is indicative of the amount of
money).
A possible value chain for “Designers,” believed to be to most “e-structured,” can
be represented by using models such as Porter’s model chart which is very similar to
what can be generated for a generic software-house with a prevalence of the trustee
element (for customers and suppliers) linked to the fact that
the added-value will be
directly or indirectly related to criminal activities.
Based on Porters model we can identify two sets of activities: