Forgot your password?
typodupeerror
Botnet Worms Security IT

New Russian Botnet Tries To Kill Rivals 136

Posted by CmdrTaco
from the there-can-be-only-one dept.
alphadogg writes "An upstart Trojan horse program has decided to take on its much-larger rival by stealing data and then removing the malicious program from infected computers. Security researchers say that the relatively unknown Spy Eye toolkit added this functionality just a few days ago in a bid to displace its larger rival, known as Zeus. The feature, called "Kill Zeus," apparently removes the Zeus software from the victim's PC, giving Spy Eye exclusive access to usernames and passwords. Zeus and Spy Eye are both Trojan-making toolkits, designed to give criminals an easy way to set up their own "botnet" networks of password-stealing programs. These programs emerged as a major problem in 2009, with the FBI estimating last October that they have caused $100 million in losses."
This discussion has been archived. No new comments can be posted.

New Russian Botnet Tries To Kill Rivals

Comments Filter:
  • Why is this news? (Score:3, Insightful)

    by Anonymous Coward on Wednesday February 10, 2010 @11:16AM (#31085950)

    Trojans, worms and viruses have been eliminating rivals for a long time. It's all part of the strategy to avoid being detected. The slower a system gets and the more unwanted traffic it generates, the more likely it will be analyzed in depth, and that's not good for the bot net.

    Apparently we've decided to go the "natural" route in software security: Instead of making software which cannot be compromised, we do a "good enough" job with software quality and then fight infections with some kind of immune system. IMHO this is the root of the problem. Computers are not highly redundant systems like biological systems. We really ought to create software which is safe by design.

    • by Conchobair (1648793) on Wednesday February 10, 2010 @11:45AM (#31086336)
      I think there is a guy that just goes around from article to article asking "Why is this news?" on each of them.

      If it was a local report about a murder, he'd show up and say "Why is this news? People have been getting murdered for several years now." Or if if was a report on a politicians speech, he'd say, "Why is this news? Politicians have been telling us lies for years and years now."
      • by Imrik (148191) on Wednesday February 10, 2010 @12:09PM (#31086694) Homepage

        Why is this postworthy? People have been asking "Why is this news?" for years now.

        • Re: (Score:2, Funny)

          by flyneye (84093)

          Because the enemy of my enemy is my friend...wait.. the enemy of my enemy is my..the enemy of my friend...oh forget it. How about an antivirus worm that searches them all out and hoses them down like a hot bath of p*ss till there is no point to the black hat vocation.

          • Because the enemy of my enemy is my friend...wait.. the enemy of my enemy is my..the enemy of my friend...oh forget it. How about an antivirus worm that searches them all out and hoses them down like a hot bath of p*ss till there is no point to the black hat vocation.

            The enemy of my enemy is my enemy's enemy - nothing more, nothing less.

            If you've worked in a production environment, you'll know some fixes are worse than the original problem.

          • You mean like this one did? http://en.wikipedia.org/wiki/Nachi_worm [wikipedia.org]
          • Re: (Score:3, Informative)

            by ZzzzSleep (606571)
            I'm sure we'll reach Curious Yellow [blanu.net] at some point, just not yet.
      • Why is this informative? People have been pointing out that other people don't have the same opinion as them for several years now.
      • Why is this notable? There's always someone going around commenting on how nothing is notable.
    • Re: (Score:2, Insightful)

      but doing it the right way front loads cost on the company that builds the correct system and places them at a competitive disadvantage with respect to shoddy software firms, say for example Microsoft and Apple.

      besides, there is secure by design software. It just lacks features which makes it less competitive. Alternatively you can put a feature-rich OS on top of it, but then you've compartmentalized the problem, not eliminated it. Plus it's damned expensive. http://www.ghs.com/products/rtos/integrity_v [ghs.com]

    • by Tim C (15259)

      We really ought to create software which is safe by design.

      And how do we protect a machine from its user installing trojans disguised as fun cursors, web browser toolbars, weather apps, sexy picture screensavers, etc?

      • Easy - take away the keyboard and mouse. Oh, did you want the machine to actually be useful as well?
      • Deliver them without a power cord, make them unavailable and only hand them out as the reward for passing "computer security 101".

        • The military has a very good "computer security 101" course that all personnel have to take in order to receive a computer and get network access. They have to repeat the course every two years or every time they are redeployed to the post.
          None of the users are administrators on their systems.
          All passwords are two caps, two small, two number, two special characters ten or 15 total characters, depending on user access level.
          They also have a much more authoritarian structure than most network environments wi

      • by Ltap (1572175)
        Easy - a test. "Quickly as you can, snatch the mouse from my hand."
    • by Culture20 (968837)

      Trojans, worms and viruses have been eliminating rivals for a long time. It's all part of the strategy to avoid being detected.

      It's news because this is a botnet-building system, kind of like an IDE or compiler. It's not the final executable. So it's sort of like a fight between mingw and VC++, where each searches for executables created by the other. Or to put in in car parlance: it's like Ford factories making all Ford cars in such a way as to detect all Toyota cars and make their pedals stick somehow. I'm guessing that prior to this, search-and-destroy was implemented by the coder, not the compiler.

    • by Opportunist (166417) on Wednesday February 10, 2010 @02:05PM (#31088290)

      Not possible.

      Why? Because the core problem with system security is no longer the technical side. Systems (yes, even Windows) are by now mostly secure. Of course, there's always the odd security hole and some even get used, but they don't represent the majority of entry points anymore, not by a longshot. Over 90% of the infections (source not available due to NDA) are due to what I endearingly call "user stupidity". See Dancing pigs problem [wikipedia.org] of computer security for reference.

      That is something you can not sensibly protect against, no matter how you create your product, unless you do not allow the owner of a computer to execute code he wants to run. And that's something I would not agree with under any circumstances, since it would mean that someone else gets to dictate what I can and what I cannot do with a machine I bought and own.

      And I am fairly sure the majority of people here would easily identify the problem with that.

      OTOH, if people may do what they want with their machine you can NOT protect them against an infection. You can of course inform them whenever something wants undue privileges, but eventually they will be the ones deciding what privileges they want to grant. And it's easy to trick people into granting more privileges than necessary. People are used to mere games requiring administrator privileges in Windows. If for nothing else, then to install their DRM device drivers. Imagine they got some "crack" for Windows that claims to turn their copy into a fully registered, legal copy. Will they grant access to manipulate core system files, even if they are able to understand the information provided? Of course they will, because after all that's what the program promises.

      Now imagine Joe Randomuser with just enough clue to hit the right button on the machine to turn it on without blowing it up getting the information that Shlabberdup.exe wants access to the thingamajig privileges, allow or deny? Joe learned that usually it "does not work" if he says deny, so he says allow. Because he wants his pig to dance.

  • Could be an interesting way to create a "real" AI.

    • by Krneki (1192201)
      Only if you think as the only AI the self aware AI. If you are not that demanding you can already see a sign of intelligence in this botnet.
      • by mhajicek (1582795)
        I doubt the program decided to add this feature on its own; much more likely its human master(s) added it. I see where you're going, but you're a bit premature.
    • Creating Skynet would indeed be interesting.

      Yay science! :P

  • What could be better than botnets trying to destroy each other? Eventually one of them will screw something up and fewer and fewer systems will be members of any botnet as they get corrupted. That can only be good news as users wind up having to reinstall their software and hopefully at least a small percentage will learn a thing or two about security along the way.

    • by poena.dare (306891) on Wednesday February 10, 2010 @11:29AM (#31086122)

      "What could be better than botnets trying to destroy each other?"

      Well, on the surface it looks good, but before long they'll be collaborating and eventually they'll learn to mate and produce better offspring. Then we'll have to amend the Defense of Marriage Act to keep botnets from getting married and start enforcing Don't Ask Don't Tell for networks.

      It's amazing how many people don't know that SkyNet's parents were homosexual transvestite liberal russian hackers that smoked heavily and collected guns.

      dARIUS qUAN predicted all of this. We should have listened!

    • Re: (Score:1, Flamebait)

      by DriedClexler (814907)

      Let the DNA wars begin!

      What could be better than DNA-based lifeforms trying to destroy each other? Eventually one of them will screw something up and fewer and fewer regions will be members of any ecosystem as they get corrupted.

  • by thegameiam (671961) <thegameiam@@@yahoo...com> on Wednesday February 10, 2010 @11:22AM (#31086032) Homepage

    How long will it be until this is a reality [xkcd.com]?

  • by Anonymous Coward on Wednesday February 10, 2010 @11:23AM (#31086038)

    Why isn't this kind of technology being used to fight botnets? Couldn't a program be released using virus-like means to disseminate itself, and try to eliminate malicious software wherever it finds it? Sort of like a distributed-computing project, with each peer actively trying to disseminate a "counter-virus"? Or "antibodies", if you will?

    • Embrace, extend, extinguish...
    • by grapeape (137008) <mpope7@kc . r r . c om> on Wednesday February 10, 2010 @11:32AM (#31086142) Homepage

      The problem is ethics...both would concidered intruders even if one is of the White Hat variety. Unfortunately it seems impossible to find ethically against something unethical so instead we all just sit around and complain about it while the problem gets worse.

    • by Cyrack (688619)
      And who do you think is going to cover the cost when the counter-bot-net screws up and wipes the PC instead of removing the bot? There are no gain for a company in making such a program, and any indivudal creating and distributing it is garanteed to get sued into oblivion.
    • by clone53421 (1310749) on Wednesday February 10, 2010 @11:47AM (#31086360) Journal

      Because it’s illegal.

      People trying to do good generally won’t risk going to jail for it.

      • Meh I'd send it out if someone wrote one for me. It's pretty easy not to get caught, just go to a public network, launch it and NEVER take credit for it. Espically for the simpler but more brutal ones like slammer or blaster I always wondered why if it was so easy to make the worm why did no one created a quick program that deletes the worm and turns on autoupdates? Not only would it save everyone a lot of work but would also be fun to watch them fight ;)
    • Why isn't this kind of technology being used to fight botnets?

      Probably because in many countries, remotely infecting and installing/removing software and other data on computers without authorization from the owner of the system is illegal.

      Couldn't a program be released using virus-like means to disseminate itself, and try to eliminate malicious software wherever it finds it?

      If you are making a tool to compromise system to build botnets, you probably don't care too much if it occasionally gets a false posi

    • by Gordo_1 (256312)

      It's been done. Do a Google search for Welchia.

  • Malware gets exploited... Are we about to see makers start releasing patches for the malware to fix security holes?

    Patching an exploit in your exploit? Is that good or bad?
  • by VShael (62735) on Wednesday February 10, 2010 @11:27AM (#31086076) Journal

    They are competing for resources (which may or may not be scarce) and one can now prey on the other.

    Either evolve a defence, or die out.

    (Oblig tag)
    That's evolution in a nutshell. Note that no one is claiming the programs spontaneously emerged into cyberspace. Evolution has nothing to say about the origin of life. Abiogenesis is not Evolution.

  • by Rogerborg (306625) on Wednesday February 10, 2010 @11:27AM (#31086080) Homepage
    In my day, we called this stuff Core Wars [robtex.com], and we kept our viruses in jars and shook them to make them fight.
  • by Anonymous Coward

    If it's really costing just American people and companies that much money, maybe it's time to stop using Windows.

    There are so many alternatives! Servers should be running OpenBSD, FreeBSD, NetBSD, Solaris, Linux, Mac OS X Server, or even AIX and HP-UX.

    Mac OS X and Linux make pretty damn good desktop systems for most users.

    And if you need to run Windows, perhaps do it only on a system that isn't networked.

    • Whatever system is the most used will be the most attacked and almost certainly the most compromised.

      Do OpenBSD, FreeBSD, NetBSD, Solaris, Linux, Mac OS X Server, or even AIX and HP-UX have less flaws than windows?

      probably.
      Almost certainly in fact.

      But at the same time without the obscurity factor the flaws they do have will be found by determined attackers and due to the eternal demand for extra features there will always be new flaws.

      There is no perfect system and you have to remember that virus writers ar

    • A cost/benefit analysis of switching might come in handy. There are other support issues besides just security.

    • Re: (Score:3, Insightful)

      by characterZer0 (138196)

      $100 million? Please.

      Many times that has been wasted supporting broken version of IE.

      Many times that has been wasted waiting for reboots after BSODs.

      Many times that has been wasted on upgrades nobody needs other than because old version no longer get security updates.

      If lost money was going to cause people to ditch Windows, they would have done it a long time ago.

  • I think it would have been cooler for that "russian botnet killer", if it was able to convert the "enemy" botnet program and have it under its control than just kill it.Then that converted program could start converting its own kind.Just like what Agent Smith was doing in Matrix!
    • Re: (Score:3, Funny)

      by clone53421 (1310749)

      Your ideas interest me and I would like to subscribe to your newsletter.

      • by ae1294 (1547521)

        Your ideas interest me and I would like to subscribe to your newsletter.

        Don't worry you can watch his idea's in his upcoming made for syfy movie.

    • Botnet client 1: You!

      Botnet client 2: Yes, me. Me, me, me....

      Botnet client 1:...Me too >:)

      Botnet client 2: >:)

  • by ratboy666 (104074) <fred_weigel AT hotmail DOT com> on Wednesday February 10, 2010 @11:37AM (#31086204) Homepage Journal

    I'll make some popcorn and we can all enjoy the show.

    But seriously, only 100M in losses?

    I don't have the figures at hand, but "McAfee forecasts $1.8 billion in revenue for 2009". I would put the cost of the extra security in; the US did that when prosecuting Gary McKinnon, so there appears to be precedent.

    • by Sulphur (1548251)

      McAfee forecasts $1.8 billion in revenue

      Then viruses, worms, botnets, etc. are forecast to do at least 1.8 billion

        in damage.

  • by bugi (8479) on Wednesday February 10, 2010 @11:49AM (#31086378)

    But -- but -- That was my stolen property!

    What are things coming to when you can't count on honor among thieves. I mean, thieves stealing from thieves? What is this world coming to!

  • You have this infected machine, perhaps it's a bot sending out bulk spam. Or you install a game on it, and a trojaned executable steals your CD-key and sends it off.. to China? To Russia? Who knows... Or you do some home banking with it (imbecile!), and possibly some program monitors your keystrokes, and sends of username+passwords to "parties unknown".

    But the recurring problem: how to explain this to a noob? They're sitting on this trojaned machine, actively using it, processing private data with it, an

    • Re: (Score:3, Interesting)

      by clone53421 (1310749)

      Online banking.

      Even if you don’t do online banking on the computer, you’re allowing it to use the computer to spread itself. If you knowingly permit this you’re contributing to the defrauding of other people who do get their identities stolen, etc.

    • by Culture20 (968837)

      But the recurring problem: how to explain this to a noob? They're sitting on this trojaned machine, actively using it, processing private data with it, and just don't seem to care (as long as the apparatus still does the job). Anyone know of a good way to explain it to a person like this, what the dangers are? Why they should desinfect / wipe the machine ASAP? What does it take to make them understand what it means "there's a trojan / backdoor on your machine"? Or is this futile? Should you just wait until they get hit hard(er)? Bank account emptied, e-mail account hacked, game CD-key blocked etc.? Any ideas?

      At work, you become the BOFH and take away people's machines. If you're not the sysadmin, you become the sysadmin's worst nightmare: the concerned helpful almost-IT guy, and rat on your coworkers "New Ticket opened: I think Jerry's machine is infected. It's bluescreening a lot". At dinner parties, tell the plebes your horror stories of how an entire department thought they were fine, but their computers were part of a botnet doing nuclear weapons research for North Korea. You couldn't wipe the machines

    • by Z34107 (925136)

      I'm an IT monkey on campus, and we have a lot of liberty in dealing with this kind of problem, barring departmental politics. We say, "your machine is infected" and take their hard drive. Until we retrieve their files they get a disk with a clean image on it. We suggest they change their passwords for the network, any banking sites, e-mail, Facebook, etc.

      But, in places where you don't have unquestioned authority over the machine, the best you can do is try to convince them to clean their machine, and the

  • If you can't expect your botnet-ware to keep your machine secure, then it's time to replace it. That is why we keep it on there right? It's a simple tradeoff, all our identity for some peace of mind.

  • by Doc Ruby (173196) on Wednesday February 10, 2010 @12:04PM (#31086604) Homepage Journal

    An upstart Trojan horse program has decided

    The news that a botnet is killing its rivals is nowhere near as disturbing as the news that it's decided to kill its rivals.

    • It didn’t decide to do anything. It’s doing exactly what it was designed to do.

      • Re: (Score:1, Interesting)

        by Anonymous Coward

        And you are doing exactly what you evolved to do. Get resources, attract a female, make offspring... The attracting a female part makes you do things like getting a job, education... anything you can to improve your statute within society such that you have a better chance of courting a female...

        You are just an automaton.

        • by clone53421 (1310749) on Wednesday February 10, 2010 @01:11PM (#31087504) Journal

          And you are doing exactly what you evolved to do. Get resources, attract a female, make offspring...

          I am?

        • by Ja'Achan (827610)
          We're on slashdot, so maybe your examples are ill-chosen...
        • by Jedi Alec (258881)

          And you are doing exactly what you evolved to do. Get resources, attract a female, make offspring... The attracting a female part makes you do things like getting a job, education... anything you can to improve your statute within society such that you have a better chance of courting a female...

          You are just an automaton.

          Bullshit. I have free will and a consciousness that allows me to take a step back and predict the consequences of decisions. I choose not to reproduce my genetic material(not by not courtin

        • Maybe it would be a good analogy if the trojan was programmed only to "spread" and then it decided to take out other trojans so that it could reach that goal.

          The trojan is programmed, upon infection, to search for files with certain hashes (or whatever) and delete them. The decisions it made were far, far simpler with simple pre-programmed actions down to very minute details.

          Humans are not programmed, for example, to put one foot in front of the other in a high-speed cycle in the direction of a gazelle and

      • by Doc Ruby (173196)

        Your reading comprehension has a bug:

        An upstart Trojan horse program has decided

  • by ka9dgx (72702) on Wednesday February 10, 2010 @12:14PM (#31086750) Homepage Journal
    Here it is... the reminder that Capability Based Security can fix this, if we raise awareness of its existence, and push to get it implemented. The idea is older than Unix, for chrissakes.
  • by Orlando (12257) on Wednesday February 10, 2010 @12:28PM (#31086920) Homepage

    This may sound naive, but I'm assuming that the vast majority of the machines used in botnets are Windows PCs? So has any attempt been made to make Microsoft take some of the responsibility of this phenomenon on and do something about it?

    • Um, the vast majority of _machines_ are PCs, so short of some special effort, they will also harbor the vast majority of botnets. This isn't necessarily a statistical commentary, but a business one. Botnets are only as good as their numbers, and the way to get infected is to get the person sitting at the keyboard install it. Patches are generally made when exploits are found, whether it's by MS, Apple, or the OS community. That's what "patch Tuesday" is all about, and why everyone who bought and installed

  • Something i don't quite understand about theses botnets, the numbers are so high I wonder if AV or antimaleware not detect them? Because the size of each botnet are huge!

    It makes me wonder if any of my PC"s are part of the bnet, and the AV's just don't detect it. I use game cracks even with games I own so I don't have to deal with CD/DVD's (2 toddlers, nothign is safe) I scan everything with clamAV and at least one other (avast/avg or even trendmicro), but using bittorrent makes it impossible to monitor

  • Given that this is Russia we're talking about, I suspect Zeus' problems won't be solved by well-targeted security upgrades.

    They'll be solved by a well-targeted AK-47.

  • Minor quibble. Yes, botnets suck and mafia run hackers can suck the stale &@%$ out of a necrotic &!#@'s &#%$#. But, does anyone ever believe any of these "X causes $Y Billion" losses estimates? Whether it's the RIAA, MPAA, BSA, FBI, FCC, or whatever, I think they make those numbers up.

  • You see, Killbots have a preset kill limit. Knowing their weakness, I sent wave after wave of my own men at them, until they reached their limit and shut down.
  • Botnet hijack...other botnet!
  • The youtube thing that Symantec put up really, really bothers me. Sure, they did a good job of blocking out the website they are going to, and trying to block other information from keeping script kiddies from accessing the same pages.

    However, when you can watch them scroll through forums, and see usernames as unique as the ones that are present, all someone has to do is to throw the username into google, and immediately get the damn forums with the hacking toolkit. Quickly scrolling through that particular

  • Or course they would not the public know, but it would be nice if the only person doing this was the FBI themselves, in a hidden way to farm information, and also keep a handle on criminal activity, so starting as of now, I say we let the FBI come up with the best dang trojan, and let them battle it out with the rest of them, and I would willingly go back every once in a while to the FBI infect me site, to make sure to get reinfected with theirs and let theirs remove all the others...could you imagine if we

In a consumer society there are inevitably two kinds of slaves: the prisoners of addiction and the prisoners of envy.

Working...