New Russian Botnet Tries To Kill Rivals 136
alphadogg writes "An upstart Trojan horse program has decided to take on its much-larger rival by stealing data and then removing the malicious program from infected computers. Security researchers say that the relatively unknown Spy Eye toolkit added this functionality just a few days ago in a bid to displace its larger rival, known as Zeus. The feature, called "Kill Zeus," apparently removes the Zeus software from the victim's PC, giving Spy Eye exclusive access to usernames and passwords. Zeus and Spy Eye are both Trojan-making toolkits, designed to give criminals an easy way to set up their own "botnet" networks of password-stealing programs. These programs emerged as a major problem in 2009, with the FBI estimating last October that they have caused $100 million in losses."
Why is this news? (Score:3, Insightful)
Trojans, worms and viruses have been eliminating rivals for a long time. It's all part of the strategy to avoid being detected. The slower a system gets and the more unwanted traffic it generates, the more likely it will be analyzed in depth, and that's not good for the bot net.
Apparently we've decided to go the "natural" route in software security: Instead of making software which cannot be compromised, we do a "good enough" job with software quality and then fight infections with some kind of immune system. IMHO this is the root of the problem. Computers are not highly redundant systems like biological systems. We really ought to create software which is safe by design.
Re:Why is this news? (Score:5, Insightful)
If it was a local report about a murder, he'd show up and say "Why is this news? People have been getting murdered for several years now." Or if if was a report on a politicians speech, he'd say, "Why is this news? Politicians have been telling us lies for years and years now."
Re:Why is this news? (Score:4, Funny)
Why is this postworthy? People have been asking "Why is this news?" for years now.
Re: (Score:2, Funny)
Because the enemy of my enemy is my friend...wait.. the enemy of my enemy is my..the enemy of my friend...oh forget it. How about an antivirus worm that searches them all out and hoses them down like a hot bath of p*ss till there is no point to the black hat vocation.
Re: (Score:2)
Because the enemy of my enemy is my friend...wait.. the enemy of my enemy is my..the enemy of my friend...oh forget it. How about an antivirus worm that searches them all out and hoses them down like a hot bath of p*ss till there is no point to the black hat vocation.
The enemy of my enemy is my enemy's enemy - nothing more, nothing less.
If you've worked in a production environment, you'll know some fixes are worse than the original problem.
Re: (Score:1)
Re: (Score:1)
Yeah, kind of ,but I picture something more dramatic and heroic.
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:2)
Virg
Re: (Score:1)
Re: (Score:2, Insightful)
but doing it the right way front loads cost on the company that builds the correct system and places them at a competitive disadvantage with respect to shoddy software firms, say for example Microsoft and Apple.
besides, there is secure by design software. It just lacks features which makes it less competitive. Alternatively you can put a feature-rich OS on top of it, but then you've compartmentalized the problem, not eliminated it. Plus it's damned expensive. http://www.ghs.com/products/rtos/integrity_v [ghs.com]
Re: (Score:2)
We really ought to create software which is safe by design.
And how do we protect a machine from its user installing trojans disguised as fun cursors, web browser toolbars, weather apps, sexy picture screensavers, etc?
Re: (Score:2)
Re: (Score:1)
Exactly, thats why they created the iPad!
Re: (Score:2)
Deliver them without a power cord, make them unavailable and only hand them out as the reward for passing "computer security 101".
Re: (Score:1)
The military has a very good "computer security 101" course that all personnel have to take in order to receive a computer and get network access. They have to repeat the course every two years or every time they are redeployed to the post.
None of the users are administrators on their systems.
All passwords are two caps, two small, two number, two special characters ten or 15 total characters, depending on user access level.
They also have a much more authoritarian structure than most network environments wi
Re: (Score:2)
Re: (Score:2)
Trojans, worms and viruses have been eliminating rivals for a long time. It's all part of the strategy to avoid being detected.
It's news because this is a botnet-building system, kind of like an IDE or compiler. It's not the final executable. So it's sort of like a fight between mingw and VC++, where each searches for executables created by the other. Or to put in in car parlance: it's like Ford factories making all Ford cars in such a way as to detect all Toyota cars and make their pedals stick somehow. I'm guessing that prior to this, search-and-destroy was implemented by the coder, not the compiler.
Re:Why is this news? (Score:4, Insightful)
Not possible.
Why? Because the core problem with system security is no longer the technical side. Systems (yes, even Windows) are by now mostly secure. Of course, there's always the odd security hole and some even get used, but they don't represent the majority of entry points anymore, not by a longshot. Over 90% of the infections (source not available due to NDA) are due to what I endearingly call "user stupidity". See Dancing pigs problem [wikipedia.org] of computer security for reference.
That is something you can not sensibly protect against, no matter how you create your product, unless you do not allow the owner of a computer to execute code he wants to run. And that's something I would not agree with under any circumstances, since it would mean that someone else gets to dictate what I can and what I cannot do with a machine I bought and own.
And I am fairly sure the majority of people here would easily identify the problem with that.
OTOH, if people may do what they want with their machine you can NOT protect them against an infection. You can of course inform them whenever something wants undue privileges, but eventually they will be the ones deciding what privileges they want to grant. And it's easy to trick people into granting more privileges than necessary. People are used to mere games requiring administrator privileges in Windows. If for nothing else, then to install their DRM device drivers. Imagine they got some "crack" for Windows that claims to turn their copy into a fully registered, legal copy. Will they grant access to manipulate core system files, even if they are able to understand the information provided? Of course they will, because after all that's what the program promises.
Now imagine Joe Randomuser with just enough clue to hit the right button on the machine to turn it on without blowing it up getting the information that Shlabberdup.exe wants access to the thingamajig privileges, allow or deny? Joe learned that usually it "does not work" if he says deny, so he says allow. Because he wants his pig to dance.
I wonder if this how Skynet gets going... (Score:2, Insightful)
Could be an interesting way to create a "real" AI.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Creating Skynet would indeed be interesting.
Yay science! :P
Let the botnet wars begin! (Score:2)
What could be better than botnets trying to destroy each other? Eventually one of them will screw something up and fewer and fewer systems will be members of any botnet as they get corrupted. That can only be good news as users wind up having to reinstall their software and hopefully at least a small percentage will learn a thing or two about security along the way.
Re:Let the botnet wars begin! (Score:5, Funny)
"What could be better than botnets trying to destroy each other?"
Well, on the surface it looks good, but before long they'll be collaborating and eventually they'll learn to mate and produce better offspring. Then we'll have to amend the Defense of Marriage Act to keep botnets from getting married and start enforcing Don't Ask Don't Tell for networks.
It's amazing how many people don't know that SkyNet's parents were homosexual transvestite liberal russian hackers that smoked heavily and collected guns.
dARIUS qUAN predicted all of this. We should have listened!
Re: (Score:1, Flamebait)
Let the DNA wars begin!
What could be better than DNA-based lifeforms trying to destroy each other? Eventually one of them will screw something up and fewer and fewer regions will be members of any ecosystem as they get corrupted.
XKCD was there first (Score:5, Insightful)
How long will it be until this is a reality [xkcd.com]?
Re:XKCD was there first (Score:5, Insightful)
Is it bad, that when someone posts an XKCD link I only click on it only to confirm that it was the one I though it was?
Re: (Score:2)
Yes. Randall should really include the name of the comic in the URL, so we can confirm without clicking.
Re: (Score:1)
Re: (Score:2)
Of course not, you don't get the alt-text if you do that.
Re: (Score:1)
Re: (Score:2)
I can nearly always guess which it is. So if you don't want to be like me....
Re: (Score:2)
Re: (Score:2)
Wow, I feel a bit better about myself now.
Re: (Score:1)
Is it bad, that when someone posts an XKCD link I only click on it only to confirm that it was the one I though it was?
If you click on an XKCD link, it's generally bad. Try here instead : http://isxkcdshittytoday.com/ [isxkcdshittytoday.com]
You can build your own virus farm! (Score:2)
It can be a reality, it's just that nobody's bothered to set up a virus farm with a malware visualization system yet.
If I could just free up the hardware...
Botnets fighting botnets... (Score:3, Interesting)
Why isn't this kind of technology being used to fight botnets? Couldn't a program be released using virus-like means to disseminate itself, and try to eliminate malicious software wherever it finds it? Sort of like a distributed-computing project, with each peer actively trying to disseminate a "counter-virus"? Or "antibodies", if you will?
This would be an easy one for Microsoft (Score:3, Funny)
Re:Botnets fighting botnets... (Score:5, Informative)
The problem is ethics...both would concidered intruders even if one is of the White Hat variety. Unfortunately it seems impossible to find ethically against something unethical so instead we all just sit around and complain about it while the problem gets worse.
Re: (Score:1)
Re:Botnets fighting botnets... (Score:4, Informative)
Because it’s illegal.
People trying to do good generally won’t risk going to jail for it.
Re: (Score:2)
Re: (Score:2)
Probably because in many countries, remotely infecting and installing/removing software and other data on computers without authorization from the owner of the system is illegal.
If you are making a tool to compromise system to build botnets, you probably don't care too much if it occasionally gets a false posi
Re: (Score:2)
It's been done. Do a Google search for Welchia.
Irony (Score:1)
Patching an exploit in your exploit? Is that good or bad?
yes (Score:2)
Botnets already receive upgrades faster than your XP.
Re: (Score:1)
...your XP.
First of all, there's no need to insult me. I don't run Windows, thank you very much.
Second, I've yet to come across any malware with polymorphic defense mechanisms. Sure, I've read about it here and there, and I haven't encountered any infected machines in a while, but is this kind of behavior really par for the course already?
Re: (Score:3, Interesting)
http://webtorque.org/wp-content/uploads/malware_biz.pdf [webtorque.org]
the really quiet well made ones you don't hear much about.
Re: (Score:2)
Well that's pretty much the definition of quiet isn't it?
It's evolution in action. (Score:4, Informative)
They are competing for resources (which may or may not be scarce) and one can now prey on the other.
Either evolve a defence, or die out.
(Oblig tag)
That's evolution in a nutshell. Note that no one is claiming the programs spontaneously emerged into cyberspace. Evolution has nothing to say about the origin of life. Abiogenesis is not Evolution.
Re: (Score:3, Insightful)
No, I don't think so.
It doesn't matter how the code changes from one generation to the next. Mutation (copying errors) or the mixture of two halves of parental DNA, or manipulation by an outside force, or some other mechanism.
What matters is that variation is introduced, and the most successful variations survive and the less successful variations do not.
It's an iterative process, much like software builds.
Re: (Score:2)
Actually that particular problem has been looked at quite a lot.
Biological systems tend to have a lot of redundancy and fail softly.
Computer programs tend not to have much redundency and lots of invalid situations which cause a total crash.
Randomly change the destination of a mov or a jump and you've got nonsense code.
Try reading up on Tierra. They tried to address a lot of these problems by making the code a lot more like genetic code even going to far as to change how jumps work such that they look for pa
Oh, you kids these days, with your Intartubes (Score:4, Informative)
Re:Oh, you kids these days, with your Intartubes (Score:5, Funny)
Re: (Score:2)
You'll soon have them fighting in wars.
Can we start using OpenBSD, Solaris, Linux? (Score:2, Insightful)
If it's really costing just American people and companies that much money, maybe it's time to stop using Windows.
There are so many alternatives! Servers should be running OpenBSD, FreeBSD, NetBSD, Solaris, Linux, Mac OS X Server, or even AIX and HP-UX.
Mac OS X and Linux make pretty damn good desktop systems for most users.
And if you need to run Windows, perhaps do it only on a system that isn't networked.
Re: (Score:2)
Whatever system is the most used will be the most attacked and almost certainly the most compromised.
Do OpenBSD, FreeBSD, NetBSD, Solaris, Linux, Mac OS X Server, or even AIX and HP-UX have less flaws than windows?
probably.
Almost certainly in fact.
But at the same time without the obscurity factor the flaws they do have will be found by determined attackers and due to the eternal demand for extra features there will always be new flaws.
There is no perfect system and you have to remember that virus writers ar
Re: (Score:1)
A cost/benefit analysis of switching might come in handy. There are other support issues besides just security.
Re: (Score:3, Insightful)
$100 million? Please.
Many times that has been wasted supporting broken version of IE.
Many times that has been wasted waiting for reboots after BSODs.
Many times that has been wasted on upgrades nobody needs other than because old version no longer get security updates.
If lost money was going to cause people to ditch Windows, they would have done it a long time ago.
One to rule them all (Score:1)
Re: (Score:3, Funny)
Your ideas interest me and I would like to subscribe to your newsletter.
Re: (Score:2)
Your ideas interest me and I would like to subscribe to your newsletter.
Don't worry you can watch his idea's in his upcoming made for syfy movie.
Re: (Score:2)
Botnet client 1: You!
Botnet client 2: Yes, me. Me, me, me....
Botnet client 1:...Me too >:)
Botnet client 2: >:)
As long as its not guns (Score:5, Insightful)
I'll make some popcorn and we can all enjoy the show.
But seriously, only 100M in losses?
I don't have the figures at hand, but "McAfee forecasts $1.8 billion in revenue for 2009". I would put the cost of the extra security in; the US did that when prosecuting Gary McKinnon, so there appears to be precedent.
Re: (Score:1)
McAfee forecasts $1.8 billion in revenue
Then viruses, worms, botnets, etc. are forecast to do at least 1.8 billion
in damage.
honor among thieves (Score:3, Funny)
But -- but -- That was my stolen property!
What are things coming to when you can't count on honor among thieves. I mean, thieves stealing from thieves? What is this world coming to!
How to explain this to noobs? (Score:2, Interesting)
You have this infected machine, perhaps it's a bot sending out bulk spam. Or you install a game on it, and a trojaned executable steals your CD-key and sends it off.. to China? To Russia? Who knows... Or you do some home banking with it (imbecile!), and possibly some program monitors your keystrokes, and sends of username+passwords to "parties unknown".
But the recurring problem: how to explain this to a noob? They're sitting on this trojaned machine, actively using it, processing private data with it, an
Re: (Score:3, Interesting)
Online banking.
Even if you don’t do online banking on the computer, you’re allowing it to use the computer to spread itself. If you knowingly permit this you’re contributing to the defrauding of other people who do get their identities stolen, etc.
Re: (Score:2)
But the recurring problem: how to explain this to a noob? They're sitting on this trojaned machine, actively using it, processing private data with it, and just don't seem to care (as long as the apparatus still does the job). Anyone know of a good way to explain it to a person like this, what the dangers are? Why they should desinfect / wipe the machine ASAP? What does it take to make them understand what it means "there's a trojan / backdoor on your machine"? Or is this futile? Should you just wait until they get hit hard(er)? Bank account emptied, e-mail account hacked, game CD-key blocked etc.? Any ideas?
At work, you become the BOFH and take away people's machines. If you're not the sysadmin, you become the sysadmin's worst nightmare: the concerned helpful almost-IT guy, and rat on your coworkers "New Ticket opened: I think Jerry's machine is infected. It's bluescreening a lot". At dinner parties, tell the plebes your horror stories of how an entire department thought they were fine, but their computers were part of a botnet doing nuclear weapons research for North Korea. You couldn't wipe the machines
Re: (Score:2)
I'm an IT monkey on campus, and we have a lot of liberty in dealing with this kind of problem, barring departmental politics. We say, "your machine is infected" and take their hard drive. Until we retrieve their files they get a disk with a clean image on it. We suggest they change their passwords for the network, any banking sites, e-mail, Facebook, etc.
But, in places where you don't have unquestioned authority over the machine, the best you can do is try to convince them to clean their machine, and the
serves them right for not living up to the bargain (Score:2)
If you can't expect your botnet-ware to keep your machine secure, then it's time to replace it. That is why we keep it on there right? It's a simple tradeoff, all our identity for some peace of mind.
So It's an AI? (Score:4, Funny)
The news that a botnet is killing its rivals is nowhere near as disturbing as the news that it's decided to kill its rivals.
Re: (Score:2)
It didn’t decide to do anything. It’s doing exactly what it was designed to do.
Re: (Score:1, Interesting)
And you are doing exactly what you evolved to do. Get resources, attract a female, make offspring... The attracting a female part makes you do things like getting a job, education... anything you can to improve your statute within society such that you have a better chance of courting a female...
You are just an automaton.
Re:So It's an AI? (Score:5, Funny)
And you are doing exactly what you evolved to do. Get resources, attract a female, make offspring...
I am?
Re: (Score:2)
Given your nick I'd be a bit worried there.
Re: (Score:1)
Re: (Score:2)
Yes. You are just doing it badly.
I am?
Re: (Score:1)
Yeah. Making offspring part will be tougher though.
Re: (Score:1)
Re: (Score:1)
And you are doing exactly what you evolved to do. Get resources, attract a female, make offspring... The attracting a female part makes you do things like getting a job, education... anything you can to improve your statute within society such that you have a better chance of courting a female...
You are just an automaton.
Bullshit. I have free will and a consciousness that allows me to take a step back and predict the consequences of decisions. I choose not to reproduce my genetic material(not by not courtin
Bad analogy (Score:2)
Maybe it would be a good analogy if the trojan was programmed only to "spread" and then it decided to take out other trojans so that it could reach that goal.
The trojan is programmed, upon infection, to search for files with certain hashes (or whatever) and delete them. The decisions it made were far, far simpler with simple pre-programmed actions down to very minute details.
Humans are not programmed, for example, to put one foot in front of the other in a high-speed cycle in the direction of a gazelle and
Re: (Score:2)
Your reading comprehension has a bug:
Re: (Score:2)
Yes, yes... whoosh, I know.
Reminder - This CAN be fixed (Score:3, Insightful)
Microsoft's responsibility (Score:3, Interesting)
This may sound naive, but I'm assuming that the vast majority of the machines used in botnets are Windows PCs? So has any attempt been made to make Microsoft take some of the responsibility of this phenomenon on and do something about it?
Re: (Score:2)
Um, the vast majority of _machines_ are PCs, so short of some special effort, they will also harbor the vast majority of botnets. This isn't necessarily a statistical commentary, but a business one. Botnets are only as good as their numbers, and the way to get infected is to get the person sitting at the keyboard install it. Patches are generally made when exploits are found, whether it's by MS, Apple, or the OS community. That's what "patch Tuesday" is all about, and why everyone who bought and installed
Something i don't quite understand about theses (Score:2)
Something i don't quite understand about theses botnets, the numbers are so high I wonder if AV or antimaleware not detect them? Because the size of each botnet are huge!
It makes me wonder if any of my PC"s are part of the bnet, and the AV's just don't detect it. I use game cracks even with games I own so I don't have to deal with CD/DVD's (2 toddlers, nothign is safe) I scan everything with clamAV and at least one other (avast/avg or even trendmicro), but using bittorrent makes it impossible to monitor
This is Russia! (Score:2)
They'll be solved by a well-targeted AK-47.
$100 Billion in Losses? (Score:1)
Minor quibble. Yes, botnets suck and mafia run hackers can suck the stale &@%$ out of a necrotic &!#@'s &#%$#. But, does anyone ever believe any of these "X causes $Y Billion" losses estimates? Whether it's the RIAA, MPAA, BSA, FBI, FCC, or whatever, I think they make those numbers up.
Re: (Score:1)
Sorry, I meant Million not Billion. Not that it matters...
How to kill bots (Score:1)
In Soviet Russia... (Score:1)
Symantec needs to get a clue (Score:2)
The youtube thing that Symantec put up really, really bothers me. Sure, they did a good job of blocking out the website they are going to, and trying to block other information from keeping script kiddies from accessing the same pages.
However, when you can watch them scroll through forums, and see usernames as unique as the ones that are present, all someone has to do is to throw the username into google, and immediately get the damn forums with the hacking toolkit. Quickly scrolling through that particular
The FBI (Score:2)
Or course they would not the public know, but it would be nice if the only person doing this was the FBI themselves, in a hidden way to farm information, and also keep a handle on criminal activity, so starting as of now, I say we let the FBI come up with the best dang trojan, and let them battle it out with the rest of them, and I would willingly go back every once in a while to the FBI infect me site, to make sure to get reinfected with theirs and let theirs remove all the others...could you imagine if we
Re: (Score:3, Funny)
Spy Vs. Spy!
Re: (Score:2)
Spy Vs. Spy!
Why not Bond Girl vs. Bond Girl? The spy can fetch some Martini in the meantime.
Re: (Score:2)