Underground hacker markets provide one-stop shopping for anything a miscreant might want, from stolen credit cards and pilfered passwords to spamming services and botnets. But a boutique forum recently uncovered by Kaspersky Lab focuses on just one thing: access to hacked government, corporate, and university servers, often for less than you'd pay for lunch.

Kaspersky researchers, working with a European ISP, discovered the trading forum xDedic essentially renting out space on more than 70,000 hacked servers in 173 countries, for as little as $6 and $8 apiece. These aren't just any servers, however. They're Remote Desktop Protocol servers, which administrators use to connect to and administer Windows systems on a local network. An attacker with access to an RDP server can connect to other systems, including web servers, often with administrator-level privileges.

Many of the hacked servers offered on xDedic provide access to popular gaming and betting websites, dating services, online shopping portals, and banking and payment services. Others offer a way into cellphone networks and ISPs. And some host software for conducting direct mail marketing campaigns or processing credit and debit card transactions.

In other words, the servers offer almost everything a criminal might want.

Buyers can use the servers as a platform to launch denial-of-service attacks or blast out spam and malware. They can also siphon credit and debit card numbers, confidential email correspondence or other valuable information stored on the systems. Or they can simply use the systems as jumping-off points to compromise other systems on the same network.

Selling access to compromised machines isn't new. Anyone with money can buy access to a botnet—a network of compromised computers from which the buyer can launch DDoS attacks or distribute spam and malware. But botnets usually consist of low-end desktop machines and laptops with less capacity and processing power than a dedicated server. "Here, what we're talking about are high-end servers; a lot of times corporate servers," says Juan Andrés Guerrero-Saade, senior security researcher with Kaspersky Lab's Global Research and Analysis Team. "Maybe you get lucky and you find something of interest on that particular server, or you decide to Bitcoin-mine with it, or you decide to use it as a staging server for further attacks. It really is the sky's the limit."

Kaspersky

The xDedic forum launched in 2014 and gained popularity last year with a sudden spike in the amount of servers offered—3,000 compromised servers came up for offer in mid-2015, and the number grew from there. Of the 70,000 compromised servers the marketplace currently offers, more than 6,000 are in Brazil. Another 5,000 are in China, with Russia coming in not far behind.

The marketplace appears to be operated by Russian-speaking hackers and offers servers to anyone from low-level hackers to nation-state attackers. Hackers breach the servers—often using bruteforce attacks—then provide the credentials to xDedic, which brokers access in return for a cut of the sale price. xDedic currently has more than 400 sellers, with the most prolific, a seller named UFOSystem, offering more than 16,000 servers for rent.

The owners of xDedic don't just passively sell access to hacked servers, however. They also provide sellers with custom tools to help them compromise servers, including a SysScan tool that automatically collects information about compromised systems, such as the web sites that can be accessed from them, the amount of memory on the systems and any software installed on them. Interested buyers can shop xDedic for the server that best meets their needs based on geographical location, configuration, memory, and other features.

Servers with accounting and gambling software on them, or point-of-sale software, are the most prized—the latter is used by businesses to process credit and debit card transactions and if configured poorly can expose card numbers to hackers with access to the servers. Kaspersky says about 450 of the compromised servers currently on offer at xDedic have point-of-sale software installed on them.

Kaspersky

The SysScan tool xDedic provides to hackers uploads information about each compromised server to a command-and-control server so the owners of the marketplace can track servers as they're compromised. Kaspersky was able to sinkhole five of the command servers to hijack the communication coming in from compromised machines. In doing so, the researchers were able to track the number of servers being compromised in real-time, as each reported in to their sinkhole. During one 12-hour period, systems from 3,600 unique IP addresses contacted their sinkhole, suggesting the number of servers being compromised during that time.

In addition to the SysScan tool, the marketplace owners also provide hackers with a tool to reconfigure the servers they compromise to help hide their presence on the systems and prevent the real system administrators from kicking them out. The hacker forum likens this illicit server access to having the keys to someone else's car. If the owner catches you, he can take back the keys and change the locks. "But in the meantime, you can joyride as much as you want," Guerrero-Saade says.