Criminal network to trade botnets and malware uncovered

Share this article:
Researchers at a web security firm have discovered what they term the latest milestone in the evolving cybercriminal underground: a one-stop-shop for hackers.

Called Golden Cash, the network enables cybercrooks to buy and sell control of compromised computers, as well as trade tools for creating malware and controlling and collecting data from botnets. Also, the platform contains about 100,000 stolen FTP credentials for sale.

The discovery of the Russian-based platform, believed to be run by individuals related to the Russian Business Network (RBN), was noted in the second issue of Finjan's 2009 Cybercrime Intelligence Report.

Finjan CTO Yuval Ben-Itzhak told SCMagazineUS.com on Wednesday that Golden Cash represents the next step in the professionalism of cybercrime markets. As a result of such platforms, people can expect attacks to grow in speed and efficiency, he said.

"It's no longer a big, technical effort [to conduct attacks]," Ben-Itzhak said. "This is the first time everything has been managed through the same interface. It's everything combined."

The going-rate to purchase packages of 1,000 compromised machines on the network ranges from $5 to $100, according to Finjan. Once the batches are bought, partners are then paid to distribute the botnet and collect FTP credentials entered on the victim PCs. Meanwhile, sellers can use the network to earn up to $500 per 1,000 zombie computers.

Those running Golden Cash also have found ways to protect their operation, Ben-Itzhak said. For one, the platform blocks IP addresses belonging to security vendors (Finjan researchers used IP addresses not owned by the company). In addition, Golden Cash sits behind a number of proxy servers that hide the origin of the actual web server being used.

Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham, said many in the investigative community have known about Golden Cash for some time, but this discovery helps spread the word about the slickness of the criminal underground.

"The news is that they've just been outed," Warner told SCMagazineUS.com on Wednesday. "Finjan has just exposed them to the public eye through their report. I would guess something will happen to them very quickly now that this has happened."

Finjan has notified law enforcement in Russia and Estonia. As of Sunday, the network still was operating, but Ben-Itzhak expects action to be taken soon.

He said businesses can do their part to lessen the success of such operations as Golden Cash by applying patches for vulnerabilities as they become available.

"When you leave these doors open, someone will come in your door," he said.
Share this article:

Sign up to our newsletters

More in News

'Backoff' malware compromises POS devices in New Orleans restaurant

Anyone that used a credit or debit card at Mizado Cocina between May 9 and July 18 may have had their data compromised.

FBI begins investigation into 1.2 billion stolen credentials

A couple weeks after Hold Security's initial discovery of the stolen logins, the Federal Bureau of Investigation is conducting its own review.

CryptoLocker copycat, TorrentLocker, discovered by researchers

Yet another clone of the nefarious ransomware CryptoLocker has been detected by security experts.