Zeus Attackers Turned the Tables On Researchers

ancientribe writes "The attackers behind a recent Zeus Trojan exploit that targeted quarterly federal taxpayers who file electronically also set up a trap for researchers investigating the attack as well as their competing cybercrime gangs. They fed them a phony administrative panel with fake statistics on the number of Zeus-infected machines, as well as phony 'botnet' software that actually gathers intelligence on the researcher or competitor who downloads it."

Why can't we have commercial software like this?

[mlts]

I'm being a bit sardonic here, but why can't we have commercial software that we pay for this well thought out? Of all the categories of software (games, utilities, Office suites), malware has evolved from being CPU/disk/memory hogs to some of the leanest and most well coded executables that ever hit a CPU on the planet.

Re:

[miffo.swe]

Because they have an incentive your normal software maufacturer doesnt have. It has to work as supposed to it has to ship.

Give current software companies a reason to code properly and the quality will take a big jump with almost no effort at all. Like, i dont know, any guaranties whatsoever the stuff works?

Re:Why can't we have commercial software like this

[rastilin]

That's a very good point. Pretty much every piece of software out these days has a EULA declaiming responsibility for anything that happens with the software, up to and including serious financial harm. If your toaster catches fire and destroys something, you would obviously expect the people who made it to be held liable; not so with software. If Communism proved anything it's that if you uncouple effort from reward, people won't go the extra mile (and spend money to get there).

Re:

[Desler]

Pretty much every piece of software out these days has a EULA declaiming responsibility for anything that happens with the software, up to and including serious financial harm.

And just like with pretty much every piece of open source software as well?

Re:

[icebraining]

Yes, but most of the OSS is gratis, so a warranty wouldn't make sense, because there's no sale.

If I were to pay for that OS software, I'd expect a warranty like in any other sale.

Re:

[kmoser]

There's a reason why the GPL, and indeed most software licenses, include the phrase, "THIS SOFTWARE IS PROVIDED 'AS IS' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES". Even in the absence of a sale, there could be an implied warranty. Of course, IANAL so YMMV.

Re:

[rwven]

The OP never stated that he was only talking about closed-source software....

Re:

[rastilin]

Yes, you understand perfectly.

Re:

[Yvanhoe]

You can usually pay more to have guarantees. Militaries and industries sometimes do that. Are you ready to pay more money (like 2x or 3x) for software ? Arguably Apple does (used to do) a good job in this area.

Re:

[MoeDumb]

You obviously never lived in Krushchev's USSR.

Re:

[CarpetShark]

Because they have an incentive your normal software maufacturer doesnt have. It has to work as supposed to it has to ship.

I was expecting you to say that they don't have to pay taxes ;)

Re:Why can't we have commercial software like this

[Nadaka]

This isn't really the case. Often we face the situation where we can either not get management to allocate time to fix something, or permission to merge an existing fix into the main branch. A lot of bugs are known and developers want to fix them, but can't.

Re:

[miffo.swe]

This is where i feel some sort of law should be put in place to put pressure on management. It has to be punished to willfully ship faulty software. Right now its just a PR problem some companies just throw stuff like SDL at (and then just ignore it internally).

Re:

[icebraining]

Like a two year minimum warranty? The EC is looking into that [cnet.com].

Re:

[BraksDad]

If it works well enough, why fix it? Virus and malware were not doing their job well enough, so someone wrote the better code. It is all quite simple actually.

Re:Why can't we have commercial software like this

[ObsessiveMathsFreak]

You can't get it because you are unable or unwilling to pay top dollar for quality software that works. By contrast Botnet owners, Wall St firms, and the Chinese government are willing to pay top dollar for software which functions perfectly and reliably and indeed do so.

It should also be noted that when software companies attempt to cross such buyers by providing less than stellar product, they tend to end up regretting it. The average user by contrast keeps buying Windows, Office, Norton and DVD codec software no matter how much they get burned. The incentive to produce quality software for the general user simply doesn't exist.

Re:

[miffo.swe]

It has nothing to do with the cost of the software. Extremely expensive enterprise software are often just as crappy as any cheap crap out there, sadly sometimes even worse. The difference is that the expensive software has highly trained personnel supporting it, carefully not doing anything not throughly documented and tested.

Personally im convinced laws demanding responsibility from software firms would benefit them as well as it would put an end to the feature frenzy from the marketing departments. In th

Re:

[jwinster]

This.

Money helps develop good software of course, but it doesn't change the fact that bad software engineering practices lead to bad software. No matter how much money is thrown at it, it won't make your teams do things in a manner close to "the right way."*

* Definitions may vary

Re:

[powerlord]

It has nothing to do with the cost of the software. Extremely expensive enterprise software are often just as crappy as any cheap crap out there, sadly sometimes even worse. The difference is that the expensive software has highly trained personnel supporting it, carefully not doing anything not throughly documented and tested.

After watching a "big name" wall street firm experience multiple outages in a new trading system, ultimately bringing it down for DAYS, as the users talked to the OVERSEAS developers I would agree that money paid isn't always an indication of quality.

(the only reason it probably didn't make headlines is that the old system was still in place for redundancy as they ramped up the new one, so from an external perspective nothing happened ... which is as it should be)

Re:

[Dunbal]

but why can't we have commercial software that we pay for this well thought out?

What, you think your commercial software isn't covertly tracking you and gathering data on you?

I invite you to look at your TCP connections and all those instances of svchost.exe running on your system... and you never had to click "Allow" to let them communicate over the net.

Re:

[clone53421]

I invite you to look at your TCP connections and all those instances of svchost.exe running on your system... and you never had to click "Allow" to let them communicate over the net.

And I invite you to use SysInternals’ Process Explorer [microsoft.com] and find out what those actually are [ompldr.org].

Re:

[clone53421]

LOL, & where'd YOU get that from, clone?... ap (Score:0)

Who the fuck is ap?

Re:

[clone53421]

I invite people to use SysInternals Process Explorer.

I would never invite anyone to use APK ShitWare Garbage 2000+++ or whatever the hell you call it... unless perhaps they enjoy self-inflicted misery or want to try running it in a VM just to see how bad it really is.

For those who aren’t already familiar with APK (sit down, have the kleenex handy... and don’t complain to me later if your face hurts from laughing so much):
APK - The “Ultimate” Collection - mandatory nighttime reading f [arstechnica.com]

Re:

[clone53421]

Google still says your shitware is a virus. [google.com]

Re:Why can't we have commercial software like this

[toygeek]

Why don't commercial programs have such high quality and thought out design? Simply because there's not enough money in it. The writers of these programs (the Bad Guys(TM)) make far more money on their work than legit companies do. Plus they have real reasons for being so good: stay out of the gulag. How do you think products like Norton Antivirus got to be such pieces of crap? Make what sells instead of what works. The Bad Guys(TM) have the exact opposite motivation. Make what works, and the money starts coming in. They sell to vulnerable machines and other Bad Guys(TM) and if it doesn't work well, their paycheck doesn't get very big.

In other words, big companies don't need good programming and quality checks. They have marketing departments.

Re:

[hesaigo999ca]

I never saw it that way, being a developer myself, I tend to want to not believe what you say, but the model is appallingly apparent. If we saw money based on if our software works instead of just by selling this greatly packaged piece of crap, you might make windows come down to its knees.

It would be nice to start having a new business model for softwares at the office where the usage is rated based on how many bugs there are, thereby affecting the monthly rate to use the software.

Re:

[CODiNE]

Because those aren't what marketing prioritizes. Generally a company needs to sell the software and get it out it's doors, how well it performs only affects some vague future release. Botnet guys live or die by the performance of their software, they can take the time to get it right and "when it's ready".

So the lesson is, if you want to make quality software that makes you beam with pride, stuff you could put in "Beautiful Code" you ought to be a virus writer. ;)

Re:

[bouldin]

ha, I struck a nerve and some app programmer modded me down.

Re:

[Monkeedude1212]

I'm being a bit sardonic here, but why can't we have commercial software that we pay for this well thought out?

What are you talking about? We totally do!

That program that Jim in IT whipped up last night? It doesn't actually calculate the revenue for this quarter, it just displays a pre-made chart when you press the button, thats all. Basically the same thing here.

Re:

[KiloByte]

malware has evolved from being CPU/disk/memory hogs to some of the leanest and most well coded executables

Except for a time in early 2000s when there was a slew of trojans written in Visual Basic and such, malware used to be lean. Don't you remember those 200 byte long viruses from 1980s?

Re:

[mcgrew]

200 bytes? That was a BIG virus in the 1980s! There were viruses twenty bytes long back then. But of course, all software was a whole lot leaner, by necessity.

Because this software is simple and single-purpose

[gosand]

Most "commercial" software must do everything (or multiple things) and by nature are complex. But to your point, what would YOU be willing to pay for, and can you give examples? Everyone likes to pick on MS Office, but I use it at work, and it does a ton of stuff all pretty well. Integration with Outlook and other MS apps is not all that bad considering the scope. But, that's big and complex, and has a UI. You're making a comparison of apples and tomatos.

Forgetting Linux apps completely, I'll pick an a

Re:

[wolfgang_spangler]

You have clearly not reverse engineered malware before.

There is good, well written, well thought out stuff out there. But it is not the norm.

Re:

[Securityemo]

For a simple reason: coding exploits is fiddly, extremely fiddly, and if all the code is constructed using tweezers and needle by an exploitation expert it becomes secure almost automatically?

Deviously creative, but...

[Arancaytar]

Come on, who wouldn't have thought of that?

Re:

[somersault]

All the other groups who run botnets, apparently.

Re:

[thijsh]

How would you know? Maybe they just did a better job and still have those researchers fooled.

Re:

[somersault]

I did say "apparently", which means "appearing as such but not necessarily so".

Zeus Attackers

[sycodon]

Find them.

Shoot them.

Re:

[halivar]

The researchers weren't fooled for long. While crafty, this sort of thing can only work once: the researchers now know to look for this sort of thing, and are less likely to be fooled a second time. Also, the data collected may be of questionable value.

Re:

[Monkeedude1212]

Point is though - the bot net operators now know who is gunning for them. This is a disadvantage for the researchers, it'll make it harder for them to track down the operators.

I almost admire them

[tygerstripes]

The devious, insidious bastards. It's exactly the sort of thing your average armchair-spamming-fantasist would concoct before decrying that the world is full of idiots and they would make a much better criminal, if only they had the time to learn how to code. I mean, it's creative and ridiculous on a par with bad-scifi plot twists.

A bit scary but, well, I'm impressed.

Re:I almost admire them

[AnonymousClown]

I mean, it's creative and ridiculous on a par with bad-scifi plot twists.

Bad sci-fi? I was thinking more of a Hollywood movie. The hero, a very smart well dressed man in some secret spy agency, let's say MI6, goes after the coders. Now, after using all of his super secret gadgets to infiltrate the the hackers headquarters, he's caught. BUT one of the hackers likes him and she becomes his ally, let's call her Boobies Mucho (She's Latina). Now Boobies frees this secret agent only for both of them to get caught, tied up, and hung over a tank of mutated guppies. These guppies have big teeth! And as an added bonus, have masers strapped on their heads - that's right microwave lasers! But they escape, and this secret agent finds and sets the destruct button on all of their computers - that's right, they're Dells and it's the power buttons!

The marines show up and they have a shoot out while all the Dell's are going up in explosions! The secret agent the sleeps with the ex-hacker and we 're done.

Re:I almost admire them

[Anonymous Coward]

This being Slashdot, the obvious reason is that you underinflated her...

Re:

[StikyPad]

...and we're spent.

Fixed that for you. You had me at Boobies.

Re:

[Gofyerself]

Make a screenplay out of this blurb and Hollywood will pay gazillions for it.

Re:

[noidentity]

I hesitate to reveal that the whole Slashdot site is a fake, designed to get insightful comments from you. Everyone else is an AI, including me.

Re:I almost admire them

[Speare]

I hesitate to reveal that the whole Slashdot site is a fake, designed to get insightful comments from you. Everyone else is an AI, including me.

What makes you feel like you must hesitate to reveal that the whole Slashdot site is a fake, designed to get insightful comments from me. Everyone else is an AI, including you?

Re:

[machco]

Thats clever, eliza

Re:

[The Archon V2.0]

I hesitate to reveal that the whole Slashdot site is a fake, designed to get insightful comments from you. Everyone else is an AI, including me.

What makes you feel like you must hesitate to reveal that the whole Slashdot site is a fake, designed to get insightful comments from me. Everyone else is an AI, including you?

Wow. This explains why people keep typing racist and sexist posts just to see what response they get.

Re:

[Synthlight]

Are you a human pretending to be a computer? Or just a computer? I can't tell!

Re:I almost admire them

[daremonai]

the whole Slashdot site is a fake, designed to get insightful comments from you.

Ha! I've outsmarted you, then. My comments are never insightful!

Re:

[AltairDusk]

But I just read that everyone except me is an AI so your comments don't need to be insightful. Of course when you read his post you would interpret that I am an AI, so assuming he was stating the truth the only logical conclusion is that we are all AI's and thus the entire site is pointless!

Re:

[daremonai]

You've won this round, mods. But I'll be back. And less insightful than ever!

Re:

[MRe_nl]

Maybe they've unfrozen Boris Grishenko...
http://www.youtube.com/watch?v=0c0K5SZNvWc [youtube.com]

Do you think he might have served as a role model for some Russians?

On a more serious note, this just tells us
a: avoid/do not pay taxes.
b: don't trust people claiming to be the government.
c: delete all emails unopened.

so what's new?

Attack launched from a random email

[digitaldc]

The lesson is for people (including researchers) to be more skeptical of who is sending you email and what it contains.
If they had realized the email was fake and deleted it, this attack would not have worked.

The bad news about internet crime

[QuantumBeep]

The bad news about botnet operators, malware authors, and other black hats: they aren't stupid.

Re:The bad news about internet crime

[Tridus]

It's natural selection in action. We catch and punish the stupid criminals more often, which allows the smart ones to thrive.

Re:The bad news about internet crime

[v1]

The bad news about botnet operators, malware authors, and other black hats: they aren't stupid.

And the worse news: we ARE

and that's why they're in business.

Re:

[delinear]

Not so much stupid (although I don't doubt a lot of people are), it's more that these attacks are so unrelenting, a person only needs to drop their guard once, at the wrong time, to get stung. It's pretty hard for even those aware of such attack vectors (such as researchers in the area) to be perpetually vigilant.

Re:The bad news about internet crime

[Kjella]

No, we're not. But the rest of us is busy trying to get things done, not play a battle of wits with black hats. It's another one of the time thieves that prevent people from actually performing work and earning money, that you just want to deflect with the least amount of hassle and cost. More often than not that's not about a head-to-head comparison, it's just about being a harder, lower profit than the rest.

I've talked to people working for rather large companies and in the end they are simply amoral. If they can increase profits by a million through lowering security so they make two million in extra income and lose one million to black hats, they don't care about the morality of it. Catching criminals is really only relevant if you can set examples that lead to fewer attacks which has a dollar value.

If it was all about security we'd all be running OpenBSD and those who made Acrobat Reader would be put to the wall and shot. That is not how the world works, even for us regular users it's about usabilty and "good enough" security. Not that I like to have my computer hacked and my identity stolen, any more than I want a burglar to rob me. But I don't live in a bunker with vault doors either.

Re:

[Domint]

. . . it's about usabilty and "good enough" security . . .

If I had any mod points, I'd give 'em to you for this comment alone. Security is not about actually being impervious to attack. It's about making yourself or your assets appear to be a less-than-appealing target to hopefully force any would-be "villain" to chase after lower-hanging fruit. If someone is seriously gunning for something you have they'll find a way to get it, regardless of the barriers presented.

Re:

[RightSaidFred99]

Nor are they geniuses. The professionals arrayed against them will always win. It's simple, really. If you were that good you wouldn't be a criminal.

Nowadays they can write big malware in high level languages, none of what they're doing is that hard especially considering most of them don't spread by obscure exploits in the OS but instead by "Durr, run this and watch the cool video of the cat dressed as a sheep!" type mails with dumb users actually running it.

Seriously, if you can just get 100k people to

Common security tactic, reversed use...

[thijsh]

So, you could call this a researcher honeypot... and apparently these guys got caught with their hand in the honey. Is it really a surprise after this tactic has been used by security researchers for over a decade?

Re:

[rakuen]

Well, in a way, yes. You see, the timing is key in something like this. We haven't heard of other botnets doing this in the past. A solid reason for this is you lose the element of surprise. Once you recognize something can occur, you tend to plan for its occurance better. Because this reverse honeypot hasn't really been done before, the Zeus authors managed to gather a quantity of data from researchers that they can use to further improve their botnet, not to mention rival botnets. Had it been done b

Re:

[thijsh]

It might have been done before and never been detected... But you are right, the security researchers would now know to check. But then again any good security researcher would only touch the malware with a 10 foot insulated pole to begin with.

Re:

[rakuen]

Well, I see them with an obvious problem in this case. You'd definitely want to gather information on this in a closed environment. Unfortunately, unless you can manage to create a botnet of your own, you're going to have to connect to the Internet eventually to try to harvest data, especially practical data. Bang. You're done.

Of course, I'm no security expert, but that's just the way I see it.

Re:

[thijsh]

Isolated VMs can have an isolated uplink too... No need to expose any systems or data.

Re:

[rakuen]

But that would still expose the isolated VMs and whatever data might be on them, correct? I mean, if the program on the VM is collecting data, which seems to be the case, then even with an isolated uplink, that data is still available.

Re:

[gsslay]

If you RTFA you'd see we have no idea how many they caught by this trick, but it wasn't "these guys". They didn't get caught. If they had got caught they'd probably not know it, and wouldn't be in a position to tell anyone about it. That's how honeypots work.

So really the more accurate title for this article would be "Zeus Attackers Tried To Turn the Tables On Researchers". Which isn't nearly as clever.

Let me get this straight...

[Mister Fright]

So, you can't trust software from malware vendors?

Re:

[a_n_d_e_r_s]

Correct this shows you can't trust software from anyone who makes software for purely commercial interests with closed source.

Stick to free software.

Re:

[The_mad_linguist]

Malware producers give out their software for free.

Re:

[John Hasler]

But it isn't Free.

Re:

[Cro Magnon]

Actually, I tend to trust the malware vendors more than I do the anti-malware vendors *cough*Norton*uncough*

Microsoft wont whack you and your family if...

[Rivalz]

If your project fails to meet standards, deadline, or perform acceptable you might end up in a hole in the ground.
At microsoft I'd imagine you could stare at a picture of steve ballmer for 8hrs a day and get employee of the month.

It came with the name

[sosaited]

When you name something "Zeus", you gotta be able to plan and code above than normal.

Wait a minute

[MintOreo]

I thought we agreed to not use the word 'cybercrime' !

Seriously?

[julian-lam]

Oh, come on! What kind of hacker, ESPECIALLY the ones who work on the Zeus botnet code, would let a string go unescaped? It's even a login string, and that's step 1 in learning to stop SQL injections. What's more depressing is that the security researchers actually thought they could get in via sql injection. Wow.

Re:

[gsslay]

What security researchers? RTFA. It just says that this is what the fake admin panel was designed to do. No one is saying that it fooled anyone.

Something I'd Love To See

[The Wild Norseman]

Scanning Corporation now, please wait...

Scanning...

Scanning...

There have been 6,553 profit(s) found in your Coporation today!  Congratuations!

Click now to give an automatic bonus to the software engineers who work for Corporation!

Note:  It is strongly recommended to perform this Scan on a regular basis and by clicking above, you have agreed to perform this Scan every week.

It didn't work

[Bob-taro]

From the article, it sounds like the honeypot was only discovered after the REAL botnet was pwned. I don't see any claim that it worked. The article says potential targets of the honeypot were researchers and competitors. I suspect the primary target was competitors. The researchers surely know they are likely being monitored and to treat anything they find with suspicion.