Internet Researchers Discover New Hacking Service Site
Internet security researchers are warning about a new malware service, apparently based in Eastern Europe, which pursues a business model charging a fee for each PC infected.
By Scott Berinato
Security researchers studying the latest Internet crime
trends have discovered a new Eastern European website that uses
a large botnet to infect vulnerable PCs. The operators of the
botnet and website charge clients for each successful PC
The site is likely based out of Russia, according to the
security researcher’s sources who asked to remain
anonymous because of their underground intelligence work. While
the front-end website, called loads.cc, doesn’t appear to
contain or deliver malware, readers are strongly urged to avoid
visiting the site in case malware is present and because the
site likely logs the IP addresses of its visitors. (The
“.cc” Internet domain is assigned to the Australian
territories of the Cocos and Keeling Islands.)
The sources discovered the site while performing forensics
on some servers known to host malware. They say that, when last
checked, loads.cc was still in operation.
This service is another example of a service-based hacking
product, similar to others recently reported here, that opens
up Internet crime to less technically proficient criminals.
Rather than compete with some of the other services, it
actually complements them.
Whoever is running loads.cc controls a botnet that may
include up to several million PCs in its network, according to
the sources. The operator of the site provides real-time
information on the size and availability of the botnet. The
site operator charges clients for using the botnet to infect
computers with whatever malware the customer chooses. The going
rate at the time of its discovery was about 20 cents per
“load,” or per successful injection into a vulnerable PC.
A client can ask in advance for a certain number of
infections, say 1,000 infections for a $200 fee. Customers can
also pay for loads based on country, IP addresses or other
attributes. Once the job is done, the client receives a
report—essentially an itemized bill—of the IP
addresses where loads were successful. Then the perpetrators
can pursue their goals: For example, they could potentially
distribute spam, grab PC owners’ online banking
information, or steal log-in credentials.
This is slightly different than the service model used by
the criminal hackers behind the Gozi trojan and 76service, as
reported in a special report.
With 76service, clients paid for access to a form-grabber that
had already infected the machine. This made each infection more
expensive, since access was mostly exclusive and the trojan was
already installed and operating on behalf of the buyer. With
loads.cc, the client is paying to infect the machine in the
first place, with whatever malware the buyer chooses. (The Gozi trojan resurfaced this week being distributed via
The business model behind loads.cc creates several concerns.
The botnet is available to anyone, and loads cost only 20 cents
each. This could lead to a set of “super-infected” PCs that
have several—possibly dozens—of bots loaded onto
them. That, in turn, could lead to a proliferation of
malware—so much that it could make infected PCs virtual
battlegrounds for control over that machine.
The sources also worry about similar services creating a
hyper-botnet in which the current botnet is used to load
executable files that spread bots to other PCs, which in turn
do the same, creating a viral effect.