When Hacked PCs Self-Destruct 418
An anonymous reader writes "From The Washington Post's Security Fix blog comes a tale that should make any Windows home user or system admin cringe. It seems the latest version of the Zeus Trojan ships with a command that will tell all infected systems to self-destruct. From the piece: 'Most security experts will tell you that while this so-called "nuclear option" is an available feature in some malware, it is hardly ever used. Disabling infected systems is counterproductive for attackers, who generally focus on hoovering as much personal and financial data as they can from the PCs they control. But try telling that to Roman Hüssy, a 21-year-old Swiss information technology expert, who last month witnessed a collection of more than 100,000 hacked Microsoft Windows systems tearing themselves apart at the command of their cyber criminal overlords.'"
I hate to say it but... (Score:5, Insightful)
this could actually be a good thing if it happens.
This is mostly speculation so take with as much salt as you think it needs.
Historically, there's not been an obvious connection in the mind of a user whose PC has been hacked with there being a serious problem with this. After all, most home users are probably unaware that their computer is participating in a huge DDOS attack in the first place, and ISPs have been very reluctant to police their customers.
I don't think credit card fraud through keyloggers is anywhere near prevalent enough to make people take notice either. Let's face it, a trojan which installs a keylogger and reports anything which looks like credit card details back to a known location is going to produce more valid credit card details in the space of a couple of weeks than most people could hope to use in a lifetime of fraud so even if your card details are stolen this way, I'm not sure there's a huge chance they'll ever be used.
But if the trojan hoses the host PC along with all the family photographs and all the music they've paid good money for - ah, now that might actually make people realise that there's a problem.
The feature I've been waiting for (Score:5, Insightful)
The way you say that makes it sound like it's a bad thing...
So, essentially, you're telling me that people who get infected are at risk of losing their PC's data. People unable or unwilling to keep their PCs secure might suffer the consequences thereof themselves instead of only posing a threat to others on the net, through spam, DDoS or spreading more malware.
Care to explain where the negative aspect is?
Sensationalism (Score:2, Insightful)
Has anyone else noticed the degree of sensationalism in /. headings has risen considerably lately?
Good! (Score:4, Insightful)
Finally, home PC security will be taken seriously.
Come on, we know it works like that. Nobody takes the common flu seriously, because most of the time it doesn't hurt much - did you know that the common flu kills many thousands every year? More people died from flu in 2001 in the USA than from the 9/11 terror attacks.
But when swine flu shows up, or bird flu, or whatever this years influenza variant is, that is frontpage news.
Why should computer viruses be any different?
Re:I hate to say it but... (Score:1, Insightful)
Unfortunately those kind of people are not here to read your post or any other that might, just might, unveil the lack of privacy they're actually swimming into. I've helped friends in the past recover from serious issues (instant restart as soon as the mouse cursor appears onscreen, right after the boot logo disappears) and sometimes more than once, so I'm afraid that even if they did read about other people's PCs being "shattered" some, in their arrogance (or ignorance, pick one) wouldn't take any extra measures to protect their privacy.
(but I do like it when they call the bank, from some fancy restaurant, asking what happened to their credit. "Well sir, remember that Solstice you bought last week?", "Sols'what?")
Re:Hardly self-destruct (Score:5, Insightful)
Try explaining that to Joe Sixpack. When Windows doesn't work for whatever reason, the computer is "broken" and needs to be taken to a shop for repair. They can not tell the difference between broken hardware or broken software (and software hick-ups may of course be caused by broken hardware that still mostly functions - it is not always that easy to tell, even by experts).
Self-destruct is imho a very apt description.
Maybe it should be used more. Then more people would feel the pain of being infected. Of those 100,000 computers I can not imagine they can actually use the data of more than a handful of people for serious crimes. All the rest of the people is not affected until the malware disables their computer.
Re:Hardly self-destruct (Score:5, Insightful)
When it leaves all your files intact.
The thing whacks the registry. Hardly a "nuclear option"; all your files are intact. Running the repair tool off your install CD should fix this, or you can do a reinstall with "leave filesystem alone" option.
I heard a Congressman once say, "reporters are fight promoters". If they keep overstating what's happening, we won't know how to really secure our machines.
Re:WTF (Score:4, Insightful)
Did the author miss the obvious? (Score:5, Insightful)
On a side node, between the semi-bogus slashdot headline and the wildly sensationalized article, which is also misleading on at least a couple of points, there's surprisingly little news here. If more accurate information was in that article, it might be different.
Re:Short report on Zeus trojan (Score:5, Insightful)
or 4) they did it for shits 'n giggles. Possibly while either drunk or high.
Re:Hardly self-destruct (Score:5, Insightful)
What does it tell when educating the average person becomes a metaphor for an impossible task?
Re:Hardly self-destruct (Score:5, Insightful)
You've missed the point. And while you apparently read part of the article, you didn't read all of it obviously.
That or you have no idea what Data is worth. Why do you think these guys are in this business?
The data on your machine is worth anywhere from about as much as the hardware, up to 1000+ times as much as the hardware, depending on how much cash you have in your bank account.
What this trojan did was "nuke" the OS. If it did its job well enough the fix won't be as easy as popping in a recovery disk (if you've still got it) to fix it, though a recovery partition aught to get you back to square one at least.
Depending on who got hit, getting their PC up and running could take anywhere from a few hours (unlikely, since that person probably runs AV software and is careful about where they visit), to a few days, to weeks depending on how often they use the machine.
If the whole point in tanking the OS was buy time to use stolen credit card and account info, it would be pretty effective, no?
Frankly, if all they did was somehow manage to short out the hardware without stealing any data, then it's not really much of a loss at all. Losing $50k out of your bank account, now that's a serious loss.
Re:I hate to say it but... (Score:5, Insightful)
This time, as expected, the dialog box popped up explaining what the problem was, and exactly what to do to fix it. When I asked if she'd ever seen it before, she said "Oh yeah, I just click OK whenever I see it". I pointed out to her the first sentence in the box, which was something like "WARNING: read this carefully or you will probably lose important data!". Somehow, "lose important data" was not the same as "Why isn't the program remembering what I typed?". And this was no idiot - she was a well trained, college/university graduated professional! There is lots of humor in society about the stupidity of the average Joe. Remember that, by definition, half of everybody is even dumber than that. Sad, when you think about it, huh?
Your users are not stupid; they have simply been desensitised by an endless stream of trivial messages marked "Warning" and "Important", and have intelligently deduced that those words are not meaningful because they are attached to every dang message and pop-up they receive. Ever notice how many pieces of trivial junk mail have the word "Important" on them? "Important notice for car-owners" about the latest insurance offer. "Warning! You may be paying too much for your haircut", etc. And recorded phone calls... "This is an important announcement about your finances ... call Rip-Off-Consolidators Ltd for the best deals in town". Not to mention the endless stream "Warning! Contents of this coffee cup may be hot" [I dang well hope so]. And the "Important" license agreements that are actually irrelevant to your staff when they start corporate-installed software for the first time [the company has already made that decision], but must nonetheless click through. The "Important" email announcement about HR training on the safe way to open an envelope (warning of the terrible dangers of a paper cut)... The "important" notice on the intranet page about staff inductions (the only useful content of which is "where's the stationery kept").
Re:Remember... (Score:5, Insightful)
Actually, telling people that hackers really can turn your computer into a bomb wasn't that bad an idea. At least people feared that possibility.
Try telling a Windows user who hasn't updated his browser [wikipedia.org] in almost 8 years that evil script kiddies can turn his machine into a spam relay. They won't care because they don't know what it means and what the implications are.
I'm speaking from experience here...
Re:I can't wait to see.... (Score:0, Insightful)
How did that post not get modded +5, Fucking Hilarious?
because it's not that funny. in fact, it's quite lame. once a comment his about +3 anything, idiot moderators will take it up to +5 so that in metamoderation, people will just accept it as a valid moderation and hence bolster the moderator's karma rating more.
Re:Hardly self-destruct (Score:5, Insightful)
It means a computer has become a commodity, an appliance, rather than a high-tech toy. And that in itself is a good thing. Joe Sixpack should not need to know how the internals of his computer work, just the basics. I do expect Joe Sixpack to know about Windows and preferably the existence of alternatives, about a hard disk and what it does and how big he should want it, what a processor speed roughly means and whether he would need 1GB or 2GB or 4GB of memory for his needs. I don't expect him to be able to install an operating system, hunt down drivers to make it all work, partition the hard disk in the process, care about whether it is NTFS or FAT or whatever, and be able to know what the information on a blue screen means. I don't know how the internals of my digital camera work, but I do know what the megapixel and zoom functions mean for example. But if there is a problem with it I go back to the shop.
To add the obligatory car analogy: I don't know how an internal combustion engine works, but I do know what it means to have say a 1.6 diesel engine in your car. When something about the car is broken I call my garage, I'm not trying to have it fixed. I know I have to add fuel, have to check oil now and then (though in modern cars that's also less and less), and how to add water for the windscreen sprinklers (dunno how you call those things in English). That's enough.
100 years ago you would have to be able to fix your own car: they were new technology, quite rare, and for a select audience only. Cars were technically simpler at the time which also helped a lot. The same for computers. 20 years ago we were working with DOS, people owning a computer and actually being able to use it could normally also install the OS, and do low-level operations. That is not necessary anymore.
When a computer breaks down and can not start up anymore it is often NOT trivial to figure out what is wrong. An error message is not always caused by the direct error: some minor corruption in your video driver, and then the image on your screen starts playing up. Or is it really the monitor that is not good? It's not that easy.
OK time to stop, I start rambling, I think the point is clear.
Re:Is physical destruction even possible? (Score:2, Insightful)
Yeah, and to speed up the process, you could also exercise the graphics processor using some internet commercials from the web.
Re:Hardly self-destruct (Score:5, Insightful)
I don't know how to fix my car. I don't know how to fix my tv. I don't even know how to fix a lawn mower. If any of those break beyond something minor, someone else has to fix it for me. The computer is in the same niche for the vast majority of computer users.
Re:Hardly self-destruct (Score:5, Insightful)
Do we really allow everybody to take of in a 'commodity' car and cause uncontrolled damage?
Or do we demand proof of a minimal level of control of the vehicle, and a good insurance if things go wrong?
Re:I hate to say it but... (Score:4, Insightful)
The reason people, even smart well-educated ones ignore alerts, is that they're trained to.
You're bombarbed with useless alerts containing useless info all the time, which over time causes you to pay less and less attention to them. What is the use of "Program xyz caused a thsdgas in module drgasefasdfs at memory-address 0xab124134qab, here's a dump of the cpu-registers" It's just noise.
If I'm stupid enough to update during the workday, why does XP need to ask every 15 minutes if I want to reboot ? Why is there no option for "NO! I'll do it myself -- when I want to." (there's only "now" and "later", the latter meaning "nag me again in a few minutes")
Vista made it -worse- "Program X wants to do Y, do you want to allow this?" pops up all the time, usually in response to you 3 seconds earlier having explicitly asked for Y -- so the answer is an obvious yes.
When people get dozens of alerts a day, 95% of which contain nothing that is understandable or useful to them, it's no wonder they've learnt to ignore them and do whatever it takes to get them out of the way.
Re:Hardly self-destruct (Score:5, Insightful)
Running the repair tool off your install CD should fix this, or you can do a reinstall with "leave filesystem alone" option. :(. Afaict that started sometime arround the late win98/early winME era (I never bought a machine that came with 2K big brand OEM so I can't comment on what happened there).
Unfortunately a significant proportion of OEMs don't provide proper install CDs anymore
In the 98/ME/2K days this wasn't such a big deal since you could just borrow a CD from someone who had a proper copy. However microsofts actions with and since the release of XP have made it much more awkward to get arround this by just borrowing a CD. Big brand OEM copies are bios locked. system builder and retail copies require activation and if you use them with a big brand OEM key you are going to have to ring MS and beg for activation. Volume license copies of XP don't have this shit but using a generated key is likely to trip up WGA and using a borrowed key on any machine you don't control puts the company it was borrowed from at risk of ending up on the WGA shitlist. With vista the no-activation-requied VLK copies have gone completely.
Re:Hardly self-destruct (Score:4, Insightful)
Doing damage with a car may damage other cars, other people's property, and cause injury or death. The driving license is to help prevent those accidental damages, and the insurance is to cover you financially if it still goes wrong. An insurance will likely not cover damage done intentionally.
Computers are not so. There is no way that by normal use of a computer you can cause serious damage to other computers. Let alone hurt or kill people. Those matters almost have to be intentional, and thereby proving serious control over the computer and knowing what you are doing.
Your analogy is seriously flawed. Cars and computers are analogies when it comes to technical fields, not when it comes to liability as a result of using them.
Re:Hardly self-destruct (Score:2, Insightful)
To take your car analogy to the state of Windows today...
Would you be upset if your car was built with door locks and windows as an added option that can be repossessed if you don't pay a yearly fee? With the hood welded shut so every time you needed that oil you had to go to the manufacturer to get it done? How about a kill switch that other drivers control? Although that last one is appealing sometimes, I think you would be upset if your car died on you because of it. How about you having to go to 15 different manufacturers to get a basic car because the guy that made the engine doesn't make the rest? Lastly, how about the manufacturer disabling the car because they thought you were driving it illegally and demanded proof that you were legal?
That is the state of a Windows OS these days. You are at the mercy of the vendor for software bug fixes even if that fix is a simple one. You are at differing vendors mercy for securing the OS vendor's product. You are locked into that vendor's product not because of technical reasons but for reasons of greed. Lastly, you are treated as a thief right from the start with mandatory product activation. That is the state of closed source software these days.
Re:Remember... (Score:5, Insightful)
Re:Hardly self-destruct (Score:5, Insightful)
Re:Remember... (Score:5, Insightful)
Am I the only one who thought, "I'd RATHER that malware corrupted a Windows installation than it sat there, harvesting data"?
No, but after reading the article I understand that a use case for this feature is: first harvest data, then win additional time to abuse this data by disabling the computer.
Re:Hardly self-destruct (Score:3, Insightful)
You are correct. I don't believe him.
It sounds like he saw a size difference between the partition and the disk size (maybe even the built in Dell/HP restore partition) and assumed it was because of the trojan.
Re:Hardly self-destruct (Score:5, Insightful)
You're joking right? Where do you think most spam comes from, distributed denial of service attacks, identity theft, etc? hint [wikipedia.org]
Re:*Real* self-destruct (Score:4, Insightful)
Define bloat. Hard disc space? Not at all. RAM? Not at all. Executable size? Not at all.
It would only need a tiny program capable of reading PCI id's and program names, maybe even Windows patch levels, a hashing algorithm and a built-in P2P facility. It would be *smaller* than most viruses which tend to be written in bloat-ridden languages like VB. A megabyte of executable means *nothing* anymore and you can barely see it transfer/run. I've seen 20-50Mb installers for single files, for God's sake.
Everything else would be stored on a P2P network (like Conficker does), for which the virus itself could easily suck a hundred megs or so of temporary disk space from every infected machine with nobody noticing. The rest is downloaded on an as-needed basis by the virus, based on the hashes of the programs it sees running and the hardware it sees installed. It downloads *just* those exploit modules (which, being modular, need do nothing more than compromise the program/hardware required and return administrative control to the original virus). It would come with, say, one built-in compromise which it uses to get into machines and once on-board distributes multiple versions of itself (possibly with a *different*, random built-in compromise in each one, so that it becomes autonomously updating and spreading).
Want to take advantage of a new vulnerability? Release a signed, hashed file onto the P2P network and watch it explode on millions of existing and new machines. Those machines already infected will pick up the new file and create derivatives for you, or use it to gain admin privileges if the machine they are on has the right hardware/software combination. For additional resiliency, have it track which are the most common types of successful infections over time and bias it's "generator" towards those (remember when virus meant "self-replicating"?). That way "new" compromises get more of a workout, and "successful" compromises are the mass that keep the rest of the swarm ticking over.
Get an assembler programmer to do it for you and you could do it in *literally* kilobytes by taking advantage of internal Windows libraries. Do it in VB or some large language and have it in under a Meg. You can't even *see* the loading time for a 1Mb executable any more, unless it's off a floppy or something.
Re:I hate to say it but... (Score:4, Insightful)
I know, it's ridiculous!
Today I was looking at a teacher's personal laptop, waiting for it to complete the logging in process after entering user credentials in Windows XP. My laptop can cold boot, run POST, boot Vista, log into my account, show the desktop and complete loading of all startup programs/services, then shutdown and power-off, and that entire process would STILL have been quicker than this guy's laptop finishing its startup after user login. Not to mention it was using 100% of one of the cores continusly and no process was showing the cause.
I kept reiterating to him, this isn't normal! How can you have been working like this for so long? Turns out he agreed, and was planning to buy a new laptop. Doesn't matter that nothing's physically wrong with the current one, and I can guarantee a reformat/reinstall would show an amazing difference. But I suppose throwing cash at new hardware is one way to fix things.
Adminstratively broken (Score:4, Insightful)
Re:Hardly self-destruct (Score:5, Insightful)
Re:All Versions of Windows affected (Score:3, Insightful)
Some boards have jumpers that prevent the CMOS from being overwritten. That seems like a very good solution to me.
Re:Remember... (Score:4, Insightful)
Re:Hardly self-destruct (Score:3, Insightful)
I've never understood this desire by the "average" person not to take any interest in what they spend their money on and use everyday. I recently spent £700 on a TV, before I did that I spent a month (occasional hour here, anouther there) researching TV's finding out what the contrast ratio meant, sound options, refresh rates, etc.. I took time to go to a couple of different shops and look at various TV's and see which one's I thought were better.
Doing this and taking the time to learn doesn't take much time at all, I probably spent more time going to the gym in the last month than wondering about TV's (I only go twice a week). I did it because I wanted a decent TV and after going to a Currys and Comet and being told alot of information which was obviously incorrect I decided to learn rather than be ripped off. This seeming happyness in willfull ignorance has always depressed me, does it not you?
Re:Remember... (Score:1, Insightful)
Your own example doesn't support your conclusion. The telco simply went after the most likely method to retrieve the money. Their chances of getting money back from the Russian telco were essentially Nil. Their chances of getting you to pay it were very good. Which you proved by paying them, just like most customers.
Is it "right"? No. It's just like 'identity theft' which is a bullshit term that puts litgation responsibility on a customer, rather than on the company that was defrauded by a con artist. The customer should not be involved beyond confirming that it was not in fact themselves who made the transaction.
Telcos and other businesses are not courts -- they are not interested in "right". They are driven by the laws of capitalism that pays their shareholders, period. They can and will do everything that is not both illegal and enforced by law agencies. It has nothing to do with crackers having 'friends in high places' with telcos.
Re:I hate to say it but... (Score:4, Insightful)
Well, in their defense, that has been "required" up till relatively recently.
If you wanted to run Office/Web Browser/Watch Videos/etc. you often needed to upgrade your computer a few times over the past decade or two.
Most people are still caught in that mindset of "oh, I guess I'll need to replace it every X" where X is somewhere between 6 months and 2 years.
They also don't probably realize that the computer they have NOW (provided they got a dual-core model with "enough" memory) is probably sufficient to do anything most people use it for on a daily basis ... provided it doesn't get loaded down with Malware/Crapware/Viruses/Trojans/etc.
Until they realize that the old "upgrade treadmill" has leveled off, they're still expecting their computer to slow down over time. :/