Who are the bad guys?

With the recent media attention to hysteria about cyber attacks we get questions like “Why would the Chinese attack a bee-keepers website?” Well, they don’t, as far as we can tell. But, then who is it? In this post we’ll try to give you an overview of the prime actors in the cyber-underground.

As numerous detective stories teach: “To solve a crime you have to know the motive”. Most of the miscreants in the internet underground have one goal: “Make money fast!”.  Now there are tons of different ways to make money fast. One thing internet criminals realize is, that this is a numbers game. Either rob a lot of people (and we mean a lot) of small amounts, or a few of big sums.


Let’s concentrate on the first case. You could for example send a couple of million spam mails out, in the hope that a few get read and answered. That would be the bulk of spam you receive. Sending a couple of million e-mails is not an easy task. You need a lot of computers to this, preferably not your own (this would have a negative impact on your revenue). That leaves some one else’s computer. This is achieved by hacking other peoples computers and installing a virus or (ro)bot on it. This bot calls home and wait’s for his masters voice.  The collection of such bots is called a botnet.

A botnet in action. The attacker instructs the control server to tell bots to send out spam. Botnets range in size from a few hundred to a few millions.

Today botnets are at the source of most criminal activities on the internet. This sounds complicated. You were out to make money and not get into this geeky computer stuff, right? No problem: Today you can rent a botnet for not much money. Indeed, the cyber underground is well organised, and in fact it’s no exaggeration to speak of an established internet underground economy. There is software development, people who write and sell the software to run a botnet. Prices are moderate, a few thousand dollars buy you a decent kit. There are people that will install your bots for you on other peoples computers (using their own specialized botnet).


But how does the initial infection with a bot happen? We all have seen e-mails with strange attachments, and most of us delete them. That’s where the bee-keepers website comes in. The people actually hacking computers first hack websites (or buy hacked web sites, you get the idea) and slightly modify the content. This does not change what’s displayed. But the modification checks for security holes in the browsers of the visitors. If they find one, they exploit it and install malware (said virus).  ENISA, the European Network and Information Security Agency, named this so called DriveBy attack as the biggest threat to computer users in 2013.


Botnets can be used for various means, stealing credit card numbers, sending spam, interfere with e-banking etc. A more advanced, and potentially lucrative use is stealing of information. Nothing new, really industrial espionage has existed ever since people tried to market good ideas. The internet makes this a lot easier though: You don’t have to go to your victims site. And while most people realize that locking your doors is probably a good idea if you have valuables the same does not seem true on the net. Certainly industrial espionage as a financial driver. But info stealing does not stop there, as the Dalai Lama had to experience. In 2009 it was discovered that China had infiltrated the Tibetan diaspora in Dharamshala. This is the other end of the spectrum, where nation states use the internet for their goals.

Much less is known about these activities, as they are usually carried out much more subtle – and potential victims keep quiet. The attackers operate much more focused and with a longer term goal in mind. We thus often speak of targeted attacks or advanced persistent threats (ATP).

The (somewhat) new kid on the block

In recent months a somewhat new kid on the block appeared. Since last fall a large number of predominately US banks were victims of denial of service (DoS) attacks. At about that time notes appeared on pastebin saying these attacks will continue as long as the west continues insulting Muslims. It’s difficult to say where the attacks originated, nothing flows back to the attacker. Politicians accused Iran of being behind these attacks, but no solid proof has been presented.

It’s not new, that political views are expressed aggressively through hacktivists. Already in 2001 the internet worm “Code Red” painted “F**K USA” over hacked websites.

So where are they from?

We’ve seen that there is a plethora of different actors on the underground stage, each with his or her own agenda. But were are they from? The west is as ready to cry “The East” as the east is ready to cry “The west”.  A hint gives the distribution of botnet control servers. On any given day it correlates fairly well with the world wide technological development. I’m surprised, that people are surprised.

This map shows a fairly typical distribution of botnet control servers. They are found everywhere where the internet is.
This map shows a fairly typical distribution of botnet control servers. They are found everywhere where the internet is.

Is it that bad?

Is the Internet really full of criminals? Should I stop using it? Well, ghee, No! The Internet is working, and we’re all using it. Like in real life there are dangers, but as long as they are not high things go fine. SWITCH-CERT does it’s share making sure that this remains the case. We help reducing Malware infection in Switzerland, and make sure that DriveBy sites in Switzerland get fixed and help our customers with tailored services fighting off cyber criminals.

%d bloggers like this: