Researchers at security vendor Finjan Inc. discovered a new platform used by cybercriminals to buy and sell batches of zombie PCs and other tools used to carry out attacks.
Called the Golden Cash network, the trading platform allows botnet herders to sell portions of their botnet to the highest bidder. Batches of 1,000 malware-infected PCs can be purchased from $5 to $100, depending on location, Finjan said.
In addition to offering the latest versions of attack toolkits, the global network partners with its members to distribute the Golden Cash bot, which collects FTP-credentials of legitimated websites through infected PCs. Finjan said its researchers were able to identify about 100,000 domains, including corporate domains, whose credentials were stolen, enabling access to the servers.
"Looking at the list of compromised PCs we found, it is clear that no individual, corporate or governmental PC is safe," Yuval Ben-Itzhak, chief technology officer of Finjan said in a statement. Ben-Itzhak heads the vendor's Malicious Code Research Center (MCRC).
Cybercriminals have been buying and selling botnets, proxy servers and attack toolkits on Web forums notorious for criminal activity. When the Conficker worm reached its peak earlier this year, security researchers warned that those behind the infection could sell off portions of it on the black market. But Ben-Itzhak points out that the Golden Cash platform is the first organized network of its kind, creating partners to distribute its bot and infect more PCs.
The Golden Cash platform also includes a malware center, where buyers can search for the latest malware that fits their needs, according to Finjan's Cybercrime Intelligence Report. The center includes a list of the latest malware and their download locations.
Once infected, PCs are put in a continuous loop with buyers using them to infect other websites, steal passwords and other sensitive information and finally putting them up for resale through the Golden Cash network.
For managing and building the Golden Cash bots, cybercriminals are using the Zalupko Trojan, according to Golan Yosef, a security researcher at Finjan. In a posting on Finjan's MCRC blog, Yosef outlined how the botnet worked. Its command and control server remained undetected from security vendors for a longer time because it used another website as a proxy that tunnels the bots communication to and from the C&C server, Yosef said.
"In fact, we found Zeus Trojan logs on the C&C server from June 2008," Yosef said. "Normally, we find logs that are about 3-4 month old."
The command and control server is hosted in Texas. The registrant country is China. The proxy website, which tunnels traffic to the command and control server, is hosted in Krasnodar, Russia, Yosef said.