There’s a general myth that botnet operators are opportunistic in their building strategy. In some older and sloppier cases they are but things have moved on. The ecosystem that supports botnet building is increasingly indistinguishable from legitimate Internet businesses – countless shades of gray – and most aspects of that business are well planned and targeted with commercial precision. As such, the targeted and opportunistic attack nomenclature is increasingly outdated – particularly when the attackers operate within a federated business model. How are some of the more successful botnet building enterprises distinguishing themselves? We’ve heard plenty of things about the popular malware kits such as Zeus, SpyEye and TLD3, but how do these translate in to the commercial botnet building industry? This talk will analyze the links between key malware construction tools, their authors relationship with the botnet builders and how their malicious payloads are in fact distributed using common federated delivery campaigns. We’ll look to distinguishing between targeted and opportunistic attacks and show that the differentiation is often just a matter of perspective if you’re missing some of the middle-men operators that help facilitate a successful attack.