Estimating the Revenue of a Russian DDoS Booter
At the end of 2014, ASERT presented research where we mapped some DDoS booter advertisements on Russian language forums to their behind-the-scenes DDoS botnet infrastructures. For this post, we will follow up on that research a bit by looking at another one of these mappings and trying to estimate the revenue generated by the DDoS service.
It Starts With an Advertisement
In this marketplace, it almost always starts with an advertisement for a DDoS booter service on one of the many public Russian language forums. In this case study, a threat actor known as “Forceful” runs the service. Searching for their ICQ number and/or Jabber address returns a number of advertisements starting circa November 2014. Here is an example advertisement (Google translated):
These types of ads typically contain:
- A fancy logo, banner, or motto
- Short explanation of what DDoS is
- Type of DDoS attacks they support
- Reputation information
- Contact details
Then Pivots on an OPSEC Mistake
What these ads usually don’t contain, however, are the command and control (C2) details of their botnets used to carry out the purchased DDoS attacks. Making the jump from ad to botnet usually requires the threat actor making a public operational security (OPSEC) mistake. These mistakes come in a number of flavors and this was one of Forceful’s:
The actor was participating in a forum discussion about a crypter–a tool used to encrypt/obfuscate malware executables to help evade antivirus detection and hinder analysis. As with the other participants in the thread, Forceful posted a screenshot of the results of a virus scanning service to test how effective the crypter was on a malware sample. At the bottom of the screenshot, it lists the following hashes of the crypted executable:
- cf87f70901a1f16015bd10c289e8c3ed (MD5)
- d361e3ddfc4e6f03ed7bad5586934854478708a5 (SHA1)
- Compilation Date: 2015-09-19 12:39:43
Forceful’s mistake was that instead of deleting the test executable, it was distributed into the wild. Once released, it was picked up by ASERT’s malware zoo and others.
This malware’s C2 domain is “kypitest[.]ru” and its phone home looks like:
The HTTP request exhibits telltale signs of the G-Bot DDoS bot. Visiting the bot’s C2 panel confirms this suspicion:
The following sample is also related:
- 7ab6d627c7149ec88909a90bd64ce6e1 (MD5)
- SHA1: 4fab28b1bbce94f077861ca2d9d8299b005fa961 (SHA1)
- Compilation Date: 2015-07-02 12:57:16
ASERT keeps tabs on DDoS botnets and their attack activity with our BladeRunner botnet monitoring system and kypitest[.]ru is no exception. The first attack we logged for this botnet was on July 9, 2015 and there’s been steady activity since:
At the time of this writing, attacks have been observed on 108 unique target hosts/IPs in the following countries:
Attacks can be categorized into the following types:
A Second OPSEC Mistake Helps Corroborate
While a self identified DDoS threat actor posting an MD5 hash of a known DDoS malware feels like a solid link between a DDoS-as-a-service advertisement and a DDoS botnet; a second OPSEC mistake by the threat actor has helped strengthen their association with kypitest[.]ru. On November 11, 2015 Forceful started a forum thread (including ICQ instant messaging logs) complaining that another forum (tophope[.].ru) had unfairly deleted their DDoS advertisement:
The Google translation of the thread wasn’t great, but a colleague fluent in Russian provided helpful translations of some of the more interesting parts:
So, I’ve decided to bring up my old thread [link] today and found out that it was deleted without any notification. Tried to contact someone in chat – no response, tried to contact admin guy “Nerom” – no response either. Well, I’ve decided to “charge” their forum for 1-2 hours, just to test. In the couple minutes angry admin contacts me
Nerom: You disclosed yourself
Nerom: I’ll get to the police department today
Nerom: to make a statement about it
555762555: Well, you wanted a test
555762555: how this is not a test?
Nerom: Well, the test wasn’t valid
Nerom: You attacking the server without protection
Nerom: I’ve made a statement
Nerom: your IP is being checked
Nerom: someone will pay you a visit tomorrow
Two days later, on November 11, 2015, BladeRunner observed the following:
This is a multi-pronged DDoS attack ordered by the kypitest[.]ru C2 on the above referenced forum and its hosting IP address.
Before running the numbers, let’s take a look at a specific attack. Starting on August 8, 2015 at around 08:47 an “.httpflood” attack was launched against a crypto currency mining pool. The attack continued for two days and about 21 hours until August 11, 2015 at around 06:07. Per an August 8th post to the mining pool’s Reddit, it looks as if this attack was unfortunately successful:
The threat actor’s pricing is available in the DDoS booter ad:
- Daily – $60
- Weekly – $400
- 10% discount on orders of $500
- 15% discount on orders of $1000
An hourly price isn’t specified in the ad, so a price of $2.50 ($60/24 hours = $2.50) is used here. With these prices, the estimated revenue generated by the above attack was:
2 days x $60 + 21 hours x $2.50 = $172.50 (rounded to $173)
Using this methodology on the other observed attacks, the following estimations were made:
BladeRunner polls botnets about once an hour, so attack durations of less than one hour are not as precise. In addition, per Forceful’s ad they offer a free 5-10 minute test, so it is feasible that many of these entries are quick tests. For these two reasons they are not counted towards revenue estimation.
Related domains and IPs in the same timeframe were grouped together in the same attack. Attacks highlighted in yellow are on the same target, but were performed multiple days apart.
In the end, the total estimated revenue for the 82 attacks from July 9, 2015 to October 18, 2015 was $5,408. The mean estimated revenue per attack was $66 and the mean estimated revenue per day was $54.
As we see in Arbor’s most recent Worldwide Infrastructure Security Report (WISR), the average cost to the victim of a DDoS attack is around $500 per minute. And as we’ve seen above, the mean cost to the attacker is only $66 per attack. This finding highlights both the extreme asymmetry of the economics of DDoS attackers vs. those of the victims of DDoS attacks, as well as the importance of robust DDoS defenses to all organizations which depend upon their online presence for revenue, customer support, and other important business functions. The cost to launch a DDoS attack is so low that the barrier to entry for attackers is practically nil – and that means that *any* organization can potentially be the target of a DDoS attack, since the investment required to launch an attack is so low.
Additionally, it’s important to understand that the economics of the booter/stresser operator are extremely favorable. The booter/stresser operator is leveraging PCs, servers, and IoT devices such as home broadband routers to set up a DDoS-as-a-service enterprise with zero infrastructure and bandwidth costs, because the booter/stresser service is clandestinely and illegally leveraging infrastructure and connectivity which belongs to others; the booter/stresser operator doesn’t pay taxes on the illicit proceeds of the service; and hundreds or even thousands of attackers can simultaneously utilize the booter/stresser service to launch DDoS attacks, thus boosting the tax-free/cost-free revenues of the service considerably.