Network News

X My Profile
View More Activity

ZeusTracker and the Nuclear Option

One of the scarier realities about malicious software is that these programs leave ultimate control over victim machines in the hands of the attacker, who could simply decide to order all of the infected machines to self-destruct. Most security experts will tell you that while this so-called "nuclear option" is an available feature in some malware, it is hardly ever used. Disabling infected systems is counterproductive for attackers, who generally focus on hoovering as much personal and financial data as they can from the PCs they control.

But try telling that to Roman Hüssy, a 21-year-old Swiss information technology expert, who last month witnessed a collection of more than 100,000 hacked Microsoft Windows systems tearing themselves apart at the command of their cyber criminal overlords.

zeustrack.JPG

Hüssy oversees Zeustracker, a Web site listing Internet servers that use Zeus, a kit sold for about $700 on shadowy cyber criminal forums to harvest data from computers infected with a password stealing Trojan horse program. One of Zeus's distinguishing features is a tool that helps each installation on a victim PC look radically different from the next as a means to evade detection by anti-virus tools.

According to Hüssy, among Zeus's many features is the "kos" option, which stands for "kill operating system." The help file distributed with Zeus kits includes the following Google-translated explanation of this feature:

kos - incapacitate OS, namely grip branches HKEY_CURRENT_USER registry and / or HKEY_LOCAL_MACHINE. If you have sufficient privileges - fly to "blue screen", in other cases creates the brakes. Following these steps, loading OS will not be possible!

In early April, Hüssy began tracking a Zeus control server used to receive data stolen from a botnet of more than 100,000 infected systems, mostly located in Poland and Spain. While investigating this newfound Zeus control server, he noticed something unusual: the "kill operating system" had just been issued to all 100,000 infected systems.

Hüssy said he has no idea why the botnet was destroyed.

"Maybe the botnet was hijacked by another crime group," he offered in an online chat with Security Fix. Then again, maybe the individuals in control over that ill-fated botnet simply didn't understand what they were doing. "Many cyber criminals...using the Zeus crimeware kit aren't very skilled," Hüssy said.

Researchers at the S21sec blog have their own theory: that maybe attackers wield the nuclear option to buy themselves more time to use the stolen data.

"The point more probably for a phisher is to earn time," writes S21's Jozef Gegeny. "Taking the victim away from Internet connection - before the unwanted money transfer is realized and further actions could be taken."

As one might imagine, bad guys who control these Zeus crimeware servers aren't always too happy about having their networks called out. Since my interview with Hüssy on Wednesday, his site has come under a fairly massive distributed denial of service (DDoS) attack, no doubt from systems under the control of Zeus botmasters.

This is hardly the first time Hüssy has been targeted. His site at abuse.ch was similarly attacked last summer. Then, early one morning in August 2008, local police roused him from slumber to check on his whereabouts. Turns out, cyber crooks had been circulating a fake suicide note sent in his name to hundreds of thousands of Swiss residents.

Zeustracker divides the sites used to control infected systems into several camps: Those apparently hosted at so-called "bulletproof hosting" services that specialize in remaining online despite significant pressure from law enforcement and foreign governments; those hosted on free Web hosting services, and those hosted on apparently legitimate but otherwise compromised Web servers.

One of hacked servers -- johnnybees.com -- was added to Zeustracker on Feb. 13, 2009. The site belongs to John Natoli, a graphic Web designer from central New Jersey. Natoli said he had been working with his hosting provider to resolve the problem, which he said he first noticed about a month ago when odd files began showing up on his server.

Natoli said he didn't know what the files were or where they were coming from, until being contacted by Security Fix. What he couldn't have known is that Zeus encrypts both the data stolen from infected systems and the configuration files left on servers that tell Zeus-infected systems which bank Web sites the attackers are trying to steal credentials for each day. In either case, the files would appear to anyone without the encryption key to be gibberish-filled files.

"I was continually deleting these suspicious files off my servers. It got kind of out of control," Natoli said, noting that he thinks the problem has been resolved, as he hasn't seen any new files in several weeks. "My hosting company provided me with some scripts that were supposed to clean things up."

Currently, about one-third of the sites listed at Zeustracker are hacked or free Web services. Imagine the good that the affected ISPs and hosting providers could do by working with customers to clean up these hosts.

If you've read this far, please join us tomorrow at 11 a.m. for Security Fix Live, where I endeavor to answer your personal technology questions and offer tailored suggestions for protecting yourself from online security threats. Can't join us then? No problem: drop me a question in advance.

By Brian Krebs  |  May 7, 2009; 4:26 PM ET
Categories:  Fraud , From the Bunker , Web Fraud 2.0  | Tags: crimeware, nuclear option, zeus, zeustracker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Windows 7 Security Fail: File Extensions Still Hidden
Next: Oprah, KFC and the Great PC Cleanup?

Comments

Back in the 'good old days,' when signals intelligence ops detected another signal attempting to 'hijack' control over especially a air navigation beacon, 'STRANGE THINGS' use to occur to those operating the hijacking beacon -- like 'death from above.'

Now if these operations emanate from the former USSR or the CCCP, such a solution could be problematic, but where they operate 'from other areas,' perhaps 'the Boy Scouts' in those areas could use some extra-ordinary common cents [pun intended] and get the job done.

Posted by: brucerealtor@gmail.com | May 8, 2009 3:01 AM | Report abuse

So -- uhhh -- could I bother anyone to explain to me again - just why is it that we still us MICROSOFT products? Oh - never mind. I remember the answer now. You have to be a genius geek to use anything else. I'll try to remember that, and stop harassing those who have to cope with not being genius.

Posted by: Runaway1956 | May 8, 2009 5:00 AM | Report abuse

If all you're killing is registry keys then wouldn't Last Known Good boot work?

Posted by: lseltzer | May 8, 2009 9:07 AM | Report abuse

I use a Mac and I'm not enough of an idiot to install Trojan software on it. I'm not worried.

Posted by: chassoto | May 8, 2009 9:30 AM | Report abuse

Thanks for another great article, Brian. Very interesting to see something of how it works from the hacker's perspective.

The only sure defence against trojans and other malicious software, for Windows users particularly, is to get a good antivirus program and keep it updated with the latest definitions.

Please see http://www.datadefender.net for reviews and download links for the latest software from the major antivirus companies.

Posted by: datadefender | May 8, 2009 2:13 PM | Report abuse

Great read. I think this illustrates just how much power these botnet controllers have at their finger tips. One push of a button and thousands, if not millions of PCs can be rendered useless. There's also all this data that can be harvested and sold on the black market. End point security solutions have to do a much better job of protecting user PCs. The general public also needs to be educated on the importance of security on their systems. I've seen so many cases of end users neglecting to use a logon password for the purpose of convenience, or not installing any form of software security program simply because they were unaware that the Internet is a dangerous place.


I've also linked your story on my blog. http://prosecure.netgear.com/community/security-blog/2009/05/a-taste-of-cyber-warfare.php

Posted by: CP3O | May 8, 2009 2:49 PM | Report abuse

For a in depth review of ALL major antivirus products I would suggest this site: http://www.av-comparatives.org/ they have actual performance reviews of ALL the major products.

Posted by: n3ujj | May 8, 2009 4:18 PM | Report abuse

Have to agree with runaway1956 ; why use a demonstrably unsafe OS, web browser, office suite, etc, when products of better quality are available, many for free ? Indolence has its charms, but sometimes it is carried all too far....

Henri

Posted by: mhenriday | May 8, 2009 4:26 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company