Thursday, October 04, 2007
Malware delivery - Fedex vs. Google Adwords
Consider two different means to deliver malicious code that cost money. First shipping thumbdrives loaded with malware and autorun.inf files. Second buying Google Adwords and pointing the links to a webserver you have loaded with a legally purchased copy of MPack.
Both methods costs a lot of money. Which has the best ROI? Assuming that our goal is to infect 1,000 US users we can easily calculate the costs. It's important to note that each country will have different average infection rates which significantly changes the math.
Let's start with Fedex. We can buy 256MB thumbdrives for about $2.50/each in quantities of 1,000. The shipping cost for each drive (assuming targets all within 800 miles and non-rural) is about $5.22 each. We also need to assume that about 50% of our targets will actually insert the drive and become infected.
So our Fedex cost is ($2.50 + $5.22) * (1000 users / .5 infection rate) = $15.44/infection. Not too bad considering the amount of money that could be made from each machine.
Now, let's run the same math with MPack and Google. Let's buy a Google adword likely to infect lots of unwary US citizens with money in the bank and a propensity for clicking on odd links.
Looks like "magic vacation" is available for about $.05 per click. That should work nicely for this example. To calculate our costs we'll need some more information about MPack. First we can buy a "legal" and supported version for about $1,000. From previous MPack attacks I know that the US infection rate is about 3.3%.
Our MPack costs work out to $1,000 + (1,000 users / .033 infection rate * $.05/click) = $2.52 per infection. (Ignore the fact that this requires 30,000 hits to our fake Adwords page :)) Not too shabby.
Both methods costs a lot of money. Which has the best ROI? Assuming that our goal is to infect 1,000 US users we can easily calculate the costs. It's important to note that each country will have different average infection rates which significantly changes the math.
Let's start with Fedex. We can buy 256MB thumbdrives for about $2.50/each in quantities of 1,000. The shipping cost for each drive (assuming targets all within 800 miles and non-rural) is about $5.22 each. We also need to assume that about 50% of our targets will actually insert the drive and become infected.
So our Fedex cost is ($2.50 + $5.22) * (1000 users / .5 infection rate) = $15.44/infection. Not too bad considering the amount of money that could be made from each machine.
Now, let's run the same math with MPack and Google. Let's buy a Google adword likely to infect lots of unwary US citizens with money in the bank and a propensity for clicking on odd links.
Looks like "magic vacation" is available for about $.05 per click. That should work nicely for this example. To calculate our costs we'll need some more information about MPack. First we can buy a "legal" and supported version for about $1,000. From previous MPack attacks I know that the US infection rate is about 3.3%.
Our MPack costs work out to $1,000 + (1,000 users / .033 infection rate * $.05/click) = $2.52 per infection. (Ignore the fact that this requires 30,000 hits to our fake Adwords page :)) Not too shabby.
Labels: mpack malware
Subscribe to Posts [Atom]