[cryptography] Bitcoin-mining Botnets observed in the wild? (was: Re: Bitcoin in endgame
Zooko Wilcox-O'Hearn
zooko at zooko.com
Fri May 11 12:20:48 PDT 2012
Folks:
Here's a copy of a post I just made to my Google+ account about this
alleged Botnet herder who has been answering questions about his
operation on reddit:
https://plus.google.com/108313527900507320366/posts/1oi1v7RxR1i
=== introduction ===
Someone is posting to reddit claiming to be a malware author, botnet
operator, and that they use their Botnet to mine Bitcoin: B9.
I asked them a question about the economics of using a Botnet for the
Bitcoin distributed transaction-verification service ("Bitcoin
mining"): B2.
They haven't provided any proof of their claims, but on the other hand
what they write and how they write it sounds plausible to me.
=== details ===
Here are my notes where I try to double-check their numbers and see if
they make sense.
They in their initial post B9 that they do 13-20 gigahashes/sec of work
on the Bitcoin distributed transaction verification service.
The screenshot they provided B3 shows 10.6 gigahashes/sec (GH/s) in
progress, and that they're using a mining pool named BTCGuild.
According to this chart of mining pools b�4, BTCGuild currently totals
about 12.5% of all known hashing power, and according to b�5 the current
total hashing power on the network is about 12.5 terahashes/sec
(TH/s), so BTCGuild probably accounts for about 1.5 TH/s.
They say that their Botnet has about 10,000 bots. The screen shot
shows a count of "total bots" = 12,000 and "connected in the last 24
hours" = 3500. This ratio of total bots to bots connected in the last
24 hours is consistent with other reports I've read of Botnets b�6, and
also consistent with my experience in p2p networking. The number of
"live bots" available at any one time for this Botnet herder should
probably average out to somewhere between 350 and 550. Let's pick 500
as an easy number to work with. Does it makes sense that 500 bots
could generate 10 GH/s? That's 20 MH/s per live bot. According to the
Bitcoin wiki's page on mining hardware b�7, a typical widely-available
GPU should provide about 200 MH/s. Hm, so they are claiming only 1/10
the total hashpower that our back-of-the-envelope estimates would
assign to them. Here is an answer they give to another person's
question that sheds light on this: b�8.
Q: "Isn't Bitcoin mining pretty resource intensive on a computer? Like
to the point someone would notice something is up on their system form
it slowing eveyrthing down?"
A: "My Botnet only mines if the computer is unused for 2 minutes and
if the owner gets back it stops mining immidiatly, so it doesn't suck
your fps at MW3. Also it mines as low priority so movies don't lag. I
also set up a very safe threshold, the cards work at around 60% so
they don't get overheated and the fans don't spin as crazy."
It sounds plausible to me that those stealth measures could cut the
throughput by 10 compared to running flat-out 24/7. Also it isn't
clear if the botnet counts computers that don't have a GPU at all, or
don't have a usable one. Maybe such computers are rare nowadays?
Anyway if they are counted in there then that would be another reason
why the hashing throughput per bot is lower than I calculated.
In answer to another question B9b�0, they said they get a steady $40/day
from running the Bitcoin transaction-confirmation ("mining") service.
According to this chart B9B9 from B9B2, the current U.S. Dollar value of
Bitcoin mining is (or was a couple of days ago when they wrote that)
about $0.33 per day for 100 MH/s. Multiplying that out by their claim
of 10.6 GH/s results in $35/day. So that adds up, too.
(Note that it sounds like their primary business is stealing and
selling credit card numbers, and the Bitcoin transaction-verification
service is a sideline.)
I don't see a reason to doubt that they really generate about 10.6
GH/s of the Bitcoin distributed transaction verification service.
My primary question is: if this is profitable on a per-bot basis, then
why don't they scale up their operation? Of course, the answer to this
presumably sheds light on the related question of why competitors of
theirs don't launch similar operations. Perhaps one limiting factor is
that the larger your Botnet, the more likely you'll be arrested by
police or extorted by competitors. That may be a limiting factor that
this person doesn't yet know about or doesn't like to think about.
They mentioned b�9 that most of their fellow cybercriminals are "too
inexperienced to accept Bitcoin", so it may be that this person is
just ahead of the curve and more people will launch operations like
this in the future.
That's the question that I asked them on redditb�why don't they scale
up? They haven't yet replied to my question, but they earlier
mentioned in response to a different question b�9:
Q: "How many botted machines do you typically gain per month or per campaign."
A: "about 500-1000 a day, weekends more. I'm thinking about just
buying them in bulks and milking them for bitcoins. Asian installs are
very cheap, 15$/1000 installs and have good GPUs."
If they're really gaining 500 to 1000 new bots per day but they have a
total of only 12,000 then either their operation is rapidly expanding,
or the attrition rate is similarly high as the acquisition rate.
=== the bottom line and my take ===
I don't see any reason to doubt that this is real, and that this
person with their Botnet is responsible for about 0.08% (i.e. less
than 1/1000 b� not 8%!) of the total Bitcoin distributed
transaction-verification service, and that they profit for it at the
rate of about $35 per day.
There's one open question in my mind about whether this particular
operator is currently rapidly expanding (adding 1000 bots per day to
their network of 12,000 bots) or if the attrition rate of bots
departing from the 12,000-node network is close to 1000 per day.
If the $35/day revenue is really mostly profit (i.e., they don't have
to spend so much time maintaining their 12,000-node Botnet that they
forego more profitable activities, like stealing more credit cards or
finishing their homework), I would expect them and others like them to
turn more and more bots to this purpose.
However, the nature of Bitcoin is that all providers of distributed
transaction-confirmation service are in competition with one another.
In the two weeks since this post went up on reddit, people around the
globe deployed about 2 TH/s more hash power (see this graph of
aggregate Bitcoin hash power b�5), which cut the profitability of this
one person's operation from $35.00/day to $30.00/day. If more and more
Botnet operators get into the Bitcoin mining game, they will reduce
the profitability of Bitcoin mining. (As well as competing with each
other for access to victim computers, which has got to be a limited
resources, right? Right? Or is there just a practically infinite
supply of vulnerable computers waiting to be tapped if only someone
can find a way to profit from them?)
In parallel, the legitimate Bitcoin miners appear to be continuing to
roll out new distributed transaction-verification service on their own
hardware. Here is a recent post by "Bitcoinminer" about commercial
Bitcoin farms based on GPU: B9B3. The operation spotlighted in that post
apparently delivers 100 GH/s (about 10X that of our Botnet herder). At
the same time, sales of FPGA-based Bitcoin devices appear to be
booming. I wrote a post about that: B9b�4. You'll have to scroll down
through extensive discussion to find where I summarized the numbers,
but in summary it appears that people are in the process of investing
half a million USD in Bitcoin FPGA which, when all deployed, will
deliver around 430 GH/s.
I think there may be a kind of "Game of Chicken" going on: if someone
makes a convincing show of investing in Bitcoin mining then they may
deter other people from getting into the game and dividing up the
profits. That may be the subtext of Bitcoinminer's blog postb�he may be
trying to discourage competitors. An interesting thing about "Game of
Chicken" is that large upfront costs can actually be an advantage
because they demonstrate your commitment! If people are spending half
a million dollars on FPGA Bitcoin miners, then their competitors had
better believe they're really going to keep running them, even if
competition drives down profitability.
See, to deploy 10 GH/s of Bitcoin hash power using FPGA would require
you to purchase about $10,000 worth of hardware which has no resell
value except to other Bitcoin miners. To deploy 10 GH/s using GPU
would require an outlay on about $5000 of hardware, which you could
later resell for gaming (or whatever other uses GPUs have nowadays --
CAD/CAM?). To deploy 10 GH/s using a Botnet requires an unknown-to-me
outlay of time, money, skill, or risk of personal harm, but at least
the marginal cost of adding another few MH/s seems much lower than in
the hardware-based approach. Our Botnet herder on reddit said he could
buy access to Asian PCs with good GPUs for $15 for 1000 PCs. If that's
true then it should cost a piddling $180 to set up a new network as
big as his current 10 GH/s network.
However, if he is considering doing something else with his time and
money, then the fact that people have convincingly committed to
large-scale FGPA mining may deter him, because no matter how well he
does at competing with them, they've already paid a sunk cost, and
their marginal cost for electricity is low, so they won't quit.
(Unless competition swells to such a level that it drives revenue
below their cost of electricity, which seems like a distant prospect
at this point.) Thus they might win at the Game of Chicken and
persuade him to spend his time and money on different projects (such
stealing more credit cards or doing a better job on his homework).
(There are also several organizations who are loudly proclaiming that
they're developing custom ASIC chips for Bitcoin mining. I haven't yet
seen hard evidence of any of them having really spent substantial
money on it or having demonstrable progress on the engineering and
manufacturing.)
=== last word ===
I'm delighted to see such vigorous and varied competition for
contributing to the distributed, planet-wide transaction-confirmation
service. I especially like the "sunk-cost" people such as the FPGA
miners with their low electricity requirements, because they seem
likely to be long-term, always-on contributors.
B9 http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/
B2 http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/c4mu8oj
B3 https://lafsgateway.zooko.com/file/URI:CHK:sdk72a5zmncihhmhdsremrglem:ez25wwqy3lkpefd7e4tujr2tc5mhezmguql7vensxysl2yhkqefa:1:1:516308//named=/yxMDx.jpg
b�4 http://blockorigin.pfoe.be/chart.php
b�5 http://bitcoin.sipa.be
b�6 http://blog.damballa.com/?p=330
b�7 https://en.bitcoin.it/wiki/Mining_Hardware_Comparison
b�8 http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/c4g7w9v
b�9 http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/c4g2tpa
B9b�0 http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/c4g235t
B9B9 http://bitcoinx.com/charts/chart_large_lin_30d.png
B9B2 http://bitcoinx.com/charts/
B9B3 http://www.bitcoinminer.com/post/22769728108/commercial-mining-farms
B9b�4 https://plus.google.com/108313527900507320366/posts/2ztAhLnXQK
_______________________________________________
cryptography mailing list
cryptography at randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
More information about the cypherpunks-legacy
mailing list