U.S. flag

An official website of the United States government, Department of Justice.

Examining the Creation, Distribution, and Function of Malware On-Line: Executive Summary

NCJ Number
Date Published
March 2010
10 pages
Using a criminological and computer-science examination of multiple data sets, this study examined the social and technical aspects of the creation, distribution, and use of bots, which constitute a new form of malicious code used by computer hackers and attackers to perpetrate costly computer crimes.
The analysis of the functions and activity of 13 bots in a simulated computing environment indicates that they had significant impacts on the system by changing system protocols, including adding and removing files, dlls, and registry information. Two of these bots also attempted to download other executable programs hosted on both Web sites, including a compromised server hosting a legitimate business Web site in the United States. All of the bots attempted to connect to Internet Relay Chat (IRC) command and control servers around the world. Nine of the bots were able to connect to the IRC command and control channel, and four required a password to log in to the channel. Five of the bots were able to connect to the channel and received commands to scan other systems online, participate in denial-of-service attacks, infect other systems, and open communication sessions with other computers. The creation and sale of bots and malware were examined through a qualitative examination of 909 threads from 10 publicly accessible Web forums in Eastern Europe and Russia designed to facilitate the creation, sale, and purchase of malware and hacking instruments. An examination of the ads posted in these forums demonstrated that a service economy has developed to facilitate cybercrime, particularly in the sale of malware. Malware was the most prevalent item sold in these forums, composing 34 percent of the total sale-related threads. Individuals requested or sold bots, trojan horse programs, encryption tools, and iframe malware uploading and downloading services.

Date Published: March 1, 2010