Zeus Attackers Turned the Tables On Researchers 119
ancientribe writes "The attackers behind a recent Zeus Trojan exploit that targeted quarterly federal taxpayers who file electronically also set up a trap for researchers investigating the attack as well as their competing cybercrime gangs. They fed them a phony administrative panel with fake statistics on the number of Zeus-infected machines, as well as phony 'botnet' software that actually gathers intelligence on the researcher or competitor who downloads it."
Why can't we have commercial software like this? (Score:5, Insightful)
I'm being a bit sardonic here, but why can't we have commercial software that we pay for this well thought out? Of all the categories of software (games, utilities, Office suites), malware has evolved from being CPU/disk/memory hogs to some of the leanest and most well coded executables that ever hit a CPU on the planet.
Re: (Score:3, Informative)
Because they have an incentive your normal software maufacturer doesnt have. It has to work as supposed to it has to ship.
Give current software companies a reason to code properly and the quality will take a big jump with almost no effort at all. Like, i dont know, any guaranties whatsoever the stuff works?
Re:Why can't we have commercial software like this (Score:4, Insightful)
Re: (Score:2, Insightful)
Pretty much every piece of software out these days has a EULA declaiming responsibility for anything that happens with the software, up to and including serious financial harm.
And just like with pretty much every piece of open source software as well?
Re: (Score:3, Insightful)
Yes, but most of the OSS is gratis, so a warranty wouldn't make sense, because there's no sale.
If I were to pay for that OS software, I'd expect a warranty like in any other sale.
Re: (Score:1)
Re: (Score:2)
The OP never stated that he was only talking about closed-source software....
Re: (Score:2)
Re: (Score:2, Flamebait)
Re: (Score:1)
Re: (Score:2)
I was expecting you to say that they don't have to pay taxes ;)
Re:Why can't we have commercial software like this (Score:4, Informative)
This isn't really the case. Often we face the situation where we can either not get management to allocate time to fix something, or permission to merge an existing fix into the main branch. A lot of bugs are known and developers want to fix them, but can't.
Re: (Score:1)
This is where i feel some sort of law should be put in place to put pressure on management. It has to be punished to willfully ship faulty software. Right now its just a PR problem some companies just throw stuff like SDL at (and then just ignore it internally).
Re: (Score:2)
Like a two year minimum warranty? The EC is looking into that [cnet.com].
Re: (Score:1)
Re:Why can't we have commercial software like this (Score:5, Insightful)
You can't get it because you are unable or unwilling to pay top dollar for quality software that works. By contrast Botnet owners, Wall St firms, and the Chinese government are willing to pay top dollar for software which functions perfectly and reliably and indeed do so.
It should also be noted that when software companies attempt to cross such buyers by providing less than stellar product, they tend to end up regretting it. The average user by contrast keeps buying Windows, Office, Norton and DVD codec software no matter how much they get burned. The incentive to produce quality software for the general user simply doesn't exist.
Re: (Score:3, Insightful)
It has nothing to do with the cost of the software. Extremely expensive enterprise software are often just as crappy as any cheap crap out there, sadly sometimes even worse. The difference is that the expensive software has highly trained personnel supporting it, carefully not doing anything not throughly documented and tested.
Personally im convinced laws demanding responsibility from software firms would benefit them as well as it would put an end to the feature frenzy from the marketing departments. In th
Re: (Score:2)
This.
Money helps develop good software of course, but it doesn't change the fact that bad software engineering practices lead to bad software. No matter how much money is thrown at it, it won't make your teams do things in a manner close to "the right way."*
* Definitions may vary
Re: (Score:2)
It has nothing to do with the cost of the software. Extremely expensive enterprise software are often just as crappy as any cheap crap out there, sadly sometimes even worse. The difference is that the expensive software has highly trained personnel supporting it, carefully not doing anything not throughly documented and tested.
After watching a "big name" wall street firm experience multiple outages in a new trading system, ultimately bringing it down for DAYS, as the users talked to the OVERSEAS developers I would agree that money paid isn't always an indication of quality.
(the only reason it probably didn't make headlines is that the old system was still in place for redundancy as they ramped up the new one, so from an external perspective nothing happened ... which is as it should be)
Re: (Score:2)
but why can't we have commercial software that we pay for this well thought out?
What, you think your commercial software isn't covertly tracking you and gathering data on you?
I invite you to look at your TCP connections and all those instances of svchost.exe running on your system... and you never had to click "Allow" to let them communicate over the net.
Re: (Score:3, Informative)
I invite you to look at your TCP connections and all those instances of svchost.exe running on your system... and you never had to click "Allow" to let them communicate over the net.
And I invite you to use SysInternals’ Process Explorer [microsoft.com] and find out what those actually are [ompldr.org].
Re: (Score:2)
Who the fuck is ap?
Re: (Score:2)
I invite people to use SysInternals Process Explorer.
I would never invite anyone to use APK ShitWare Garbage 2000+++ or whatever the hell you call it... unless perhaps they enjoy self-inflicted misery or want to try running it in a VM just to see how bad it really is.
For those who aren’t already familiar with APK (sit down, have the kleenex handy... and don’t complain to me later if your face hurts from laughing so much):
APK - The “Ultimate” Collection - mandatory nighttime reading f [arstechnica.com]
Re: (Score:2)
Google still says your shitware is a virus. [google.com]
Re:Why can't we have commercial software like this (Score:5, Insightful)
Why don't commercial programs have such high quality and thought out design? Simply because there's not enough money in it. The writers of these programs (the Bad Guys(TM)) make far more money on their work than legit companies do. Plus they have real reasons for being so good: stay out of the gulag. How do you think products like Norton Antivirus got to be such pieces of crap? Make what sells instead of what works. The Bad Guys(TM) have the exact opposite motivation. Make what works, and the money starts coming in. They sell to vulnerable machines and other Bad Guys(TM) and if it doesn't work well, their paycheck doesn't get very big.
In other words, big companies don't need good programming and quality checks. They have marketing departments.
Re: (Score:1)
I never saw it that way, being a developer myself, I tend to want to not believe what you say, but the model is appallingly apparent. If we saw money based on if our software works instead of just by selling this greatly packaged piece of crap, you might make windows come down to its knees.
It would be nice to start having a new business model for softwares at the office where the usage is rated based on how many bugs there are, thereby affecting the monthly rate to use the software.
Re: (Score:3, Interesting)
Because those aren't what marketing prioritizes. Generally a company needs to sell the software and get it out it's doors, how well it performs only affects some vague future release. Botnet guys live or die by the performance of their software, they can take the time to get it right and "when it's ready".
So the lesson is, if you want to make quality software that makes you beam with pride, stuff you could put in "Beautiful Code" you ought to be a virus writer. ;)
Re: (Score:1)
Re: (Score:2)
I'm being a bit sardonic here, but why can't we have commercial software that we pay for this well thought out?
What are you talking about? We totally do!
That program that Jim in IT whipped up last night? It doesn't actually calculate the revenue for this quarter, it just displays a pre-made chart when you press the button, thats all. Basically the same thing here.
Re: (Score:2)
malware has evolved from being CPU/disk/memory hogs to some of the leanest and most well coded executables
Except for a time in early 2000s when there was a slew of trojans written in Visual Basic and such, malware used to be lean. Don't you remember those 200 byte long viruses from 1980s?
Re: (Score:2)
200 bytes? That was a BIG virus in the 1980s! There were viruses twenty bytes long back then. But of course, all software was a whole lot leaner, by necessity.
Because this software is simple and single-purpose (Score:2)
Most "commercial" software must do everything (or multiple things) and by nature are complex. But to your point, what would YOU be willing to pay for, and can you give examples? Everyone likes to pick on MS Office, but I use it at work, and it does a ton of stuff all pretty well. Integration with Outlook and other MS apps is not all that bad considering the scope. But, that's big and complex, and has a UI. You're making a comparison of apples and tomatos.
Forgetting Linux apps completely, I'll pick an a
Re: (Score:2)
You have clearly not reverse engineered malware before.
There is good, well written, well thought out stuff out there. But it is not the norm.
Re: (Score:2)
Deviously creative, but... (Score:3, Insightful)
Come on, who wouldn't have thought of that?
Re: (Score:3, Insightful)
All the other groups who run botnets, apparently.
Re: (Score:2)
Re: (Score:2)
I did say "apparently", which means "appearing as such but not necessarily so".
Zeus Attackers (Score:2)
Find them.
Shoot them.
Re: (Score:2)
The researchers weren't fooled for long. While crafty, this sort of thing can only work once: the researchers now know to look for this sort of thing, and are less likely to be fooled a second time. Also, the data collected may be of questionable value.
Re: (Score:3, Insightful)
Point is though - the bot net operators now know who is gunning for them. This is a disadvantage for the researchers, it'll make it harder for them to track down the operators.
I almost admire them (Score:4, Insightful)
The devious, insidious bastards. It's exactly the sort of thing your average armchair-spamming-fantasist would concoct before decrying that the world is full of idiots and they would make a much better criminal, if only they had the time to learn how to code. I mean, it's creative and ridiculous on a par with bad-scifi plot twists.
A bit scary but, well, I'm impressed.
Re:I almost admire them (Score:4, Funny)
I mean, it's creative and ridiculous on a par with bad-scifi plot twists.
Bad sci-fi? I was thinking more of a Hollywood movie. The hero, a very smart well dressed man in some secret spy agency, let's say MI6, goes after the coders. Now, after using all of his super secret gadgets to infiltrate the the hackers headquarters, he's caught. BUT one of the hackers likes him and she becomes his ally, let's call her Boobies Mucho (She's Latina). Now Boobies frees this secret agent only for both of them to get caught, tied up, and hung over a tank of mutated guppies. These guppies have big teeth! And as an added bonus, have masers strapped on their heads - that's right microwave lasers! But they escape, and this secret agent finds and sets the destruct button on all of their computers - that's right, they're Dells and it's the power buttons!
The marines show up and they have a shoot out while all the Dell's are going up in explosions! The secret agent the sleeps with the ex-hacker and we 're done.
Re:I almost admire them (Score:4, Funny)
Re: (Score:2)
...and we're spent.
Fixed that for you. You had me at Boobies.
Re: (Score:1)
Re: (Score:2, Interesting)
Re:I almost admire them (Score:5, Funny)
What makes you feel like you must hesitate to reveal that the whole Slashdot site is a fake, designed to get insightful comments from me. Everyone else is an AI, including you?
Re: (Score:1)
Re: (Score:2)
What makes you feel like you must hesitate to reveal that the whole Slashdot site is a fake, designed to get insightful comments from me. Everyone else is an AI, including you?
Wow. This explains why people keep typing racist and sexist posts just to see what response they get.
Re: (Score:1)
Re:I almost admire them (Score:5, Insightful)
Ha! I've outsmarted you, then. My comments are never insightful!
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Maybe they've unfrozen Boris Grishenko...
http://www.youtube.com/watch?v=0c0K5SZNvWc [youtube.com]
Do you think he might have served as a role model for some Russians?
On a more serious note, this just tells us
a: avoid/do not pay taxes.
b: don't trust people claiming to be the government.
c: delete all emails unopened.
so what's new?
Attack launched from a random email (Score:3, Interesting)
If they had realized the email was fake and deleted it, this attack would not have worked.
The bad news about internet crime (Score:4, Insightful)
The bad news about botnet operators, malware authors, and other black hats: they aren't stupid.
Re:The bad news about internet crime (Score:4, Insightful)
It's natural selection in action. We catch and punish the stupid criminals more often, which allows the smart ones to thrive.
Re:The bad news about internet crime (Score:4, Insightful)
The bad news about botnet operators, malware authors, and other black hats: they aren't stupid.
And the worse news: we ARE
and that's why they're in business.
Re: (Score:2)
Re:The bad news about internet crime (Score:4, Insightful)
No, we're not. But the rest of us is busy trying to get things done, not play a battle of wits with black hats. It's another one of the time thieves that prevent people from actually performing work and earning money, that you just want to deflect with the least amount of hassle and cost. More often than not that's not about a head-to-head comparison, it's just about being a harder, lower profit than the rest.
I've talked to people working for rather large companies and in the end they are simply amoral. If they can increase profits by a million through lowering security so they make two million in extra income and lose one million to black hats, they don't care about the morality of it. Catching criminals is really only relevant if you can set examples that lead to fewer attacks which has a dollar value.
If it was all about security we'd all be running OpenBSD and those who made Acrobat Reader would be put to the wall and shot. That is not how the world works, even for us regular users it's about usabilty and "good enough" security. Not that I like to have my computer hacked and my identity stolen, any more than I want a burglar to rob me. But I don't live in a bunker with vault doors either.
Re: (Score:2)
If I had any mod points, I'd give 'em to you for this comment alone. Security is not about actually being impervious to attack. It's about making yourself or your assets appear to be a less-than-appealing target to hopefully force any would-be "villain" to chase after lower-hanging fruit. If someone is seriously gunning for something you have they'll find a way to get it, regardless of the barriers presented.
Re: (Score:1)
Nor are they geniuses. The professionals arrayed against them will always win. It's simple, really. If you were that good you wouldn't be a criminal.
Nowadays they can write big malware in high level languages, none of what they're doing is that hard especially considering most of them don't spread by obscure exploits in the OS but instead by "Durr, run this and watch the cool video of the cat dressed as a sheep!" type mails with dumb users actually running it.
Seriously, if you can just get 100k people to
Common security tactic, reversed use... (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Of course, I'm no security expert, but that's just the way I see it.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
If you RTFA you'd see we have no idea how many they caught by this trick, but it wasn't "these guys". They didn't get caught. If they had got caught they'd probably not know it, and wouldn't be in a position to tell anyone about it. That's how honeypots work.
So really the more accurate title for this article would be "Zeus Attackers Tried To Turn the Tables On Researchers". Which isn't nearly as clever.
Let me get this straight... (Score:4, Funny)
So, you can't trust software from malware vendors?
Re: (Score:2)
Correct this shows you can't trust software from anyone who makes software for purely commercial interests with closed source.
Stick to free software.
Re: (Score:2)
Malware producers give out their software for free.
Re: (Score:2)
But it isn't Free.
Re: (Score:2)
Actually, I tend to trust the malware vendors more than I do the anti-malware vendors *cough*Norton*uncough*
Microsoft wont whack you and your family if... (Score:1, Troll)
If your project fails to meet standards, deadline, or perform acceptable you might end up in a hole in the ground.
At microsoft I'd imagine you could stare at a picture of steve ballmer for 8hrs a day and get employee of the month.
It came with the name (Score:1)
Wait a minute (Score:1)
Seriously? (Score:1)
Re: (Score:2)
What security researchers? RTFA. It just says that this is what the fake admin panel was designed to do. No one is saying that it fooled anyone.
Something I'd Love To See (Score:1)
Scanning...
Scanning...
There have been 6,553 profit(s) found in your Coporation today! Congratuations!
Click now to give an automatic bonus to the software engineers who work for Corporation!
Note: It is strongly recommended to perform this Scan on a regular basis and by clicking above, you have agreed to perform this Scan every week.
It didn't work (Score:3, Insightful)
From the article, it sounds like the honeypot was only discovered after the REAL botnet was pwned. I don't see any claim that it worked. The article says potential targets of the honeypot were researchers and competitors. I suspect the primary target was competitors. The researchers surely know they are likely being monitored and to treat anything they find with suspicion.