Internet Researchers Discover New Hacking Service Site

Security researchers studying the latest Internet crime trends have discovered a new Eastern European website that uses a large botnet to infect vulnerable PCs. The operators of the botnet and website charge clients for each successful PC infection.

MORE ON Malware Threats

Gozi Trojan Resurfaces, Security Researcher Finds

Who’s Stealing Your Passwords? Global Hackers Create a New Online Crime Economy

Gozi and the Subscription Hacking Model

The site is likely based out of Russia, according to the security researcher’s sources who asked to remain anonymous because of their underground intelligence work. While the front-end website, called loads.cc, doesn’t appear to contain or deliver malware, readers are strongly urged to avoid visiting the site in case malware is present and because the site likely logs the IP addresses of its visitors. (The “.cc” Internet domain is assigned to the Australian territories of the Cocos and Keeling Islands.)

The sources discovered the site while performing forensics on some servers known to host malware. They say that, when last checked, loads.cc was still in operation.

This service is another example of a service-based hacking product, similar to others recently reported here, that opens up Internet crime to less technically proficient criminals. Rather than compete with some of the other services, it actually complements them.

Whoever is running loads.cc controls a botnet that may include up to several million PCs in its network, according to the sources. The operator of the site provides real-time information on the size and availability of the botnet. The site operator charges clients for using the botnet to infect computers with whatever malware the customer chooses. The going rate at the time of its discovery was about 20 cents per “load,” or per successful injection into a vulnerable PC.

A client can ask in advance for a certain number of infections, say 1,000 infections for a $200 fee. Customers can also pay for loads based on country, IP addresses or other attributes. Once the job is done, the client receives a report—essentially an itemized bill—of the IP addresses where loads were successful. Then the perpetrators can pursue their goals: For example, they could potentially distribute spam, grab PC owners’ online banking information, or steal log-in credentials.

This is slightly different than the service model used by the criminal hackers behind the Gozi trojan and 76service, as reported in a special report. With 76service, clients paid for access to a form-grabber that had already infected the machine. This made each infection more expensive, since access was mostly exclusive and the trojan was already installed and operating on behalf of the buyer. With loads.cc, the client is paying to infect the machine in the first place, with whatever malware the buyer chooses. (The Gozi trojan resurfaced this week being distributed via PDF spam.)

The business model behind loads.cc creates several concerns. The botnet is available to anyone, and loads cost only 20 cents each. This could lead to a set of “super-infected” PCs that have several—possibly dozens—of bots loaded onto them. That, in turn, could lead to a proliferation of malware—so much that it could make infected PCs virtual battlegrounds for control over that machine.

The sources also worry about similar services creating a hyper-botnet in which the current botnet is used to load executable files that spread bots to other PCs, which in turn do the same, creating a viral effect.