What it costs to host a malware site

Brian Krebs reports on "bulletproof hosting" providers that offer malware/spyware creeps, spammers, rip-off artists and other Mos Eisley cantina-dwellers a place to park a website where takedown notices, search warrants, and the law can't reach.

Of course, just how insulated this particular provider's services are and how much illicit activity you can get away with while using them depends largely on how much you're willing to shell out each month. For example, an entry level "default bulletproof server" allows customers to host things like rogue online pharmacies, replica, gambling, and MP3 sites for $270 per month. But this service level bars customers from hosting nastier content, such as malware, spyware, adware, exploits, viruses, and phishing sites.

Upgrade to the "Super BulletProof Virtual Dedicated Servers in China" -- and pay almost $500 a month -- and the only activities that are prohibited are sending spam and hosting any type of porn.

The provider pictured here also upsells potential customers by offering a variety of handy add-on services. For extra coin each month, one can rent a bulletproof server with a license for XRumer, a black hat search engine manipulation tool that automates the registration of new Web forum accounts and the spamming of links on those forums, all in a bid to boost the search engine rankings of the spamvertized site. If you operate a blog and have had to deal with what appear to be automated, link-filled comments, chances are good that XRumer was involved in some way.

Body Armor for Bad Web Sites


  1. $500/month?

    That’s actually pretty cheap, considering the service in question. Some part of me suspects that this will merely lower the entry requirements for the less competent or ambitious, however.

    If you want to run a clandestine operation, doesn’t it make more sense to use your own server?

    1. If you want to run a clandestine operation, doesn’t it make more sense to use your own server?

      Just as it is impossible to make a cell phone call without the telco knowing exactly where you are, within a few yards, it is impossible to run a server untraceably.

      Therefore, if you are running your own server, you are not running a clandestine operation, see? You really need a server in a foreign country, and you need to pay for it either with stolen credit cards or by pushing your money through the Russkaya Mafiya in St. Petersburgh.

      The spam/malware kingpins live in the USA, hire coders and hit men in the former Soviet Union, initiate and control the spread of their malware through Asia, and launder the money in an asian-easternEuropean-xxx-american pipeline where xxx is a friendly banking system, usually located on a small island.

  2. considering ACTA, UK Libel laws and the Fourth Reich over at the RIAA this sounds like a good place to host a legitimate site.

  3. a.) I find it rather ironic that you need a license for this XRumer thing…

    b.) I have a hard time seeing this as a problem. Laws are not global. What’s illegal in the US is not illegal in China. The mindset saying that breaking US law is bad, wherever you are in the world, is really problematic. It’s what leads to repressive IP policies where traditional knowledge is patented and monetized by pharma; it’s what leads to terrible colonialism whereby the industrialized former pirates of patents and IP (like the US) exercise hypocrisy in forbidding that same benefit to developing countries…

  4. Back in the 90’s when I was helping run porn sites, we would have gladly spent four times as much for bulletproof hosting of our front end services, which were under constant DDOS attacks.

    There are actual legitimate needs for such services.

  5. I don’t know about you, but cyber scum or not, I would feel hesitant making $500 payments to the PRC on a monthly basis… or even $5 payments for that matter.

  6. I would love to see some sophisticated hackers come in and hammer THESE guys… A challenging way to put their skills to good use ;)

  7. I’d be sure to use a pre-paid card dedicated exclusively to the payments to them, loaded with just enough to cover them each month on the day they were due and all the info I register with would be fictitious. If a company exists fairly well solely to cater to moral and legal gray areas, I’d worry that that lack of concern about virtue/privacy, etc could easily apply to my account info,too.

Comments are closed.