When Hacked PCs Self-Destruct 418
An anonymous reader writes "From The Washington Post's Security Fix blog comes a tale that should make any Windows home user or system admin cringe. It seems the latest version of the Zeus Trojan ships with a command that will tell all infected systems to self-destruct. From the piece: 'Most security experts will tell you that while this so-called "nuclear option" is an available feature in some malware, it is hardly ever used. Disabling infected systems is counterproductive for attackers, who generally focus on hoovering as much personal and financial data as they can from the PCs they control. But try telling that to Roman Hüssy, a 21-year-old Swiss information technology expert, who last month witnessed a collection of more than 100,000 hacked Microsoft Windows systems tearing themselves apart at the command of their cyber criminal overlords.'"
Hardly self-destruct (Score:5, Informative)
Re:I hate to say it but... (Score:5, Informative)
This kind of destructive behaviour is what most ordinary people still associate with viruses; if it's not hosing the computer entirely, it's nothing to worry about. That they're partly responsible for the spam tsunami, and that their credit card details might be leaking all over the place, just simply doesn't seem to be on their radar.
so they keep that 3 month trial of norton they got with the computer 3 years ago, and think they're safe because their computer hasn't blown up yet.
Plus they have a remarkable tolerance for popups - the amount of pcs I get asked to look at because they're 'a bit slow' that are utterly riddled with spyware, maladware and a notification area that fills half the start bar, and are hitting swap space as soon as they boot up...
Re:Is physical destruction even possible? (Score:5, Informative)
It's possible, at least to some extent. Old CRTs could be fried with bad programming. Modern CPUs usually have a thermal fail safe (i.e. a reboot) but not every component does this. I'm pretty sure my Radeon doesn't have this feature, since it gets hot as hell if I let it run for too long.
Another interesting option is USB. I believe it's possible to alter the USB power with a software driver. Just set the power level to over 9000, and your peripherals will fry.
Re:I hate to say it but... (Score:5, Informative)
But if the trojan hoses the host PC along with all the family photographs and all the music they've paid good money for - ah, now that might actually make people realise that there's a problem.
I take it you have no experience dealing with "the public" and computers. They get horked, they see weird popups, and have no idea that it's really unusual. It's all "black magic" to them, anyway, so they don't differentiate much between a "Are you sure you want to NNN" and "Sending bomb threat to Pres Obama" messages.
If it has an OK button, they'll click on it to get it out of their face.
Once, I was doing tech support, and the customer was complaining about a condition, and I was SURE that the instructions for how to fix the condition were being displayed to the end user, who adamantly denied it. I walked her through the process, step by step, and at the appropriate point, asked her if any warning box or anything showed up. She said she saw nothing.
So I set up a remote desktop session, had the customer perform the software procedure again, slowly, so I could see what happened. She clicked slowly, step by step, and then, at the appropriate point, I saw a brief white flash before she told me that, once again, nothing had happened.
So I told her to take her hand OFF THE MOUSE while I performed the sequence myself.
This time, as expected, the dialog box popped up explaining what the problem was, and exactly what to do to fix it. When I asked if she'd ever seen it before, she said "Oh yeah, I just click OK whenever I see it". I pointed out to her the first sentence in the box, which was something like "WARNING: read this carefully or you will probably lose important data!". Somehow, "lose important data" was not the same as "Why isn't the program remembering what I typed?".
And this was no idiot - she was a well trained, college/university graduated professional!
There is lots of humor in society about the stupidity of the average Joe. Remember that, by definition, half of everybody is even dumber than that. Sad, when you think about it, huh?
Re:Is physical destruction even possible? (Score:5, Informative)
Control the fans, the temperature threshold, cpu freq etc...
I don't see why a worm or other malware can't do the same thing.
Short report on Zeus trojan (Score:5, Informative)
The summary and TFA are rather light on the details I wanted. Here's what you need to know about Zeus:
It's a Trojan that takes over Windows computers. It is being spread through phishing tricks. It is designed to be easy to use, so script kiddies can just pay US$700 to get the Zeus kit and start building botnets to steal data such as credit card numbers.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1310679,00.html [techtarget.com]
One feature of Zeus is the "kos" command, for "kill operating system". This wipes out the Windows Registry and the OS files. Usually, black hat hackers don't want to kill systems they 0wn, but recently Roman Hüssy saw a whole botnet get the kos command. TFA listed three possible reasons for this: 0) rival black hat hackers might have gained enough control of a botnet to issue the kos command, to deny the botnet to its 0wners; 1) the hackers might have issued the kos command by mistake or due to incompetence; or 2) the hackers issued the kos to cover their tracks, and give them more time to use stolen data.
That last theory makes some sense to me. If the system is still intact, the owner of the system may figure out that his system was 0wned. The kos will wipe out the evidence of Zeus as well as the OS, so all the owner really knows is that Windows really crashed hard this time.
steveha
Re:Hardly self-destruct (Score:2, Informative)
Not that I don't believe you, but doesn't reinstalling Windows overwrite the boot sector? How does a trojan on a separate partition even execute? Windows doesn't do Autorun on IDE drive partitions, AFAIK.
As they always say ... Fdisk from orbit (Score:3, Informative)
To be a bit more serious what I mean by "from orbit" is run everything from some sort of media that the malware never had a chance of touching - preferably a completely different OS on read only media. Then the partitions go and the new ones get formatted before use etc etc.
Of course the above poster knew that even though the victim of the anecdote didn't.
Re:I hate to say it but... (Score:5, Informative)
Wouldn't that be the stupidity of the median Joe?
Just sayin'.
Re:Is physical destruction even possible? (Score:3, Informative)
I believe it's possible to alter the USB power with a software driver. Just set the power level to over 9000, and your peripherals will fry.
Um, no.
The voltage on a USB connector is fixed at 5V. The controller starts up the slave device (a mouse or whatever) at 100mA, reads off the device descriptor, then kicks it up to 500mA if the device needs it, and if enough power is available.
The rule is, having too much voltage will blow stuff up, but a device will only take as much current as it needs. If you have a chip that needs 500mA at 5V, then plug it into a 1A 5V power supply, then the chip will only 'take' 500mA from the PSU.
Thing is, the USB host controller only has a 5V supply and a 5V output for slave devices. The absolute worst you'd be able to do is turn a couple of devices on and off at random (which could be fun to do as an April Fool's joke)...
Re:Remember... (Score:3, Informative)
You keep using that word. I do not think this word mean what you think it means.
The caps and the burning circuit board do not meet mydefinition of bomb. Macgyver abhored violence, but, in an emergency, if I were thinking like Macgyver, in addition to the computer you'd some steel wool, ammonia, and some... yeah, that'll do...
Re:Hardly self-destruct (Score:4, Informative)
There's lots of software that can create paritions, why is a trojan any different.
Re:Zeus Trojan (Score:5, Informative)
I beg to differ, given the example in the same post you just replied to. Anything that registers to *read* a file in Explorer can spawn *real* processes (i.e. full copies of Adobe Reader) in the background in order to extract... the Author, Title, maybe a thumbnail.
I would call that "without your knowledge" (I don't remember seeing a security popup for that, even with non-privileged executables), "beyond reasonable means of disabling such facilities" (without uninstalling the entire damn program, or fiddling with associations by hand, and even they're just guesswork to what it actually would do) and "automatic" (I don't remember ever seeing *anything* tell me that it would be loading up every time I hover over a file in explorer). I'd add "out of your control" if you're a non-techy user, which is who Windows is *designed* for.
Additionally, this is STILL where 99% of viruses are coming from and the methods they using to propogate. Don't kid yourself that you'll *always* get a popup for these things, even with UAC. It's just NOT true. There are an unbelievable number of things running all the time that you have so little control over, they are effectively automatic and unstoppable to the vast majority of users. Hell, most users can't even stop LEGITIMATE apps like Quicktime, Realplayer, Java, etc. from running on startup and putting themselves in the taskbar without cancelling the setup entirely. It's up to the *application* to provide that interface most of the time, with a handful of registry locations / undocumented programs for the experienced user.
So you have two options. Never install software on Windows (might as well be running Linux, then!) or install software which puts itself into places you stand little-to-no hope of ever finding out / removing / undoing.
Install fresh machine. Put to latest patch level. Tell user to click everything they find online (but never "Yes" to a security dialog), insert every USB flash device they ever come across into it. Do you think they'll last a week before it blows up in their face? Do you think they can still get *anything* done?
(I'll tell you now, my non-Windows machines pass that test quite, quite flawlessly... Mac is the closest to having problems in that regard)
Install fresh machine. Put to latest patch level. Install bunch of commonly used programs from trusted sources in order to be able to run most websites, most programs out there. Don't install anything else. How much CRAP is in your taskbar that you can't *easily* get rid of without running the program in question and relying on there being a "don't run on startup" option? THIS IS A CONSUMER OS. Doing something *simple* like accidentally installing one antivirus program while another is running will bring a Windows machine to a complete, unusable halt (I've even dealt with bluescreens because of that exact situation) out of which the user has little hope of recovering without professional help.
Operating systems have two choices: Expect arbitrary executables, and cover your arse as much as you can so that the *user* is always in control. Or forbid arbitrary executables.
The second one is what businesses, governments, and the military should be using. Everyone else needs *real* uninstall, proper program sandboxing, a "Task Manager" that cannot be intercepted or delayed no matter what the computer is doing, the facility to bypass, turn off, or otherwise disable ANY change that's made to the system without having to know what that was. (i.e. a "Last Known Good Configuration" that includes only the software installed at that time).
It really comes to something when I can spend an hour waiting for a PC to load because the user has filled it up with (non-damaging) cruft on their own accounts and it take *literally* hours to fix, even in "Safe Mode". Too much opportunity for crap, not enough control.
Re:Remember... (Score:5, Informative)
how many people will stand up and piss all over the computer just because a pop-up tells them to?
I think I've got five users that probably would. Seriously.
Re:Remember... (Score:3, Informative)
The problem with KDE is that even with themes she'll still look like she's trying to be someone else. Seriously, I can pick out a KDE desktop nine times out of ten just because it looks like someone's running StyleXP on Windows.
Re:Is physical destruction even possible? (Score:2, Informative)
Re:Remember... (Score:3, Informative)
Re:Hardly self-destruct (Score:3, Informative)
Let's look at what 'Joe Sixpack' really means.
This is by no means a representation of an average American. Remember, we're the obese country?
How do you know "sixpack" is even referencing anatomy? I think it's far more of a possibility that it's speaking of a guy with a sixpack of Bud Lite(and potentially a mullet).