Slashdot Mirror
When Hacked PCs Self-Destruct
An anonymous reader writes "From The Washington Post's Security Fix blog comes a tale that should make any Windows home user or system admin cringe. It seems the latest version of the Zeus Trojan ships with a command that will tell all infected systems to self-destruct. From the piece: 'Most security experts will tell you that while this so-called "nuclear option" is an available feature in some malware, it is hardly ever used. Disabling infected systems is counterproductive for attackers, who generally focus on hoovering as much personal and financial data as they can from the PCs they control. But try telling that to Roman Hüssy, a 21-year-old Swiss information technology expert, who last month witnessed a collection of more than 100,000 hacked Microsoft Windows systems tearing themselves apart at the command of their cyber criminal overlords.'"
It looks like slashdot was taken down by the self destruct too!
Hackers can turn your home computer INTO A BOMB
All versions of windows are affected by this self-destruct bug,
BY DEFAULT!!!!
There are many series of commands that can make your machine unwillingly self destruct...
All it does is mess up the OS - the hardware is fine, hardly a 'nuclear option' or 'self-destruct'.
I want a list of atrocities done in your name - Recoil
this could actually be a good thing if it happens.
This is mostly speculation so take with as much salt as you think it needs.
Historically, there's not been an obvious connection in the mind of a user whose PC has been hacked with there being a serious problem with this. After all, most home users are probably unaware that their computer is participating in a huge DDOS attack in the first place, and ISPs have been very reluctant to police their customers.
I don't think credit card fraud through keyloggers is anywhere near prevalent enough to make people take notice either. Let's face it, a trojan which installs a keylogger and reports anything which looks like credit card details back to a known location is going to produce more valid credit card details in the space of a couple of weeks than most people could hope to use in a lifetime of fraud so even if your card details are stolen this way, I'm not sure there's a huge chance they'll ever be used.
But if the trojan hoses the host PC along with all the family photographs and all the music they've paid good money for - ah, now that might actually make people realise that there's a problem.
The next "I'm a PC, I'm a Mac" commercial is gonna rule!
Mac: Umm... PC.... why are you stabbing yourself repeatedly with that pen...
Georgia Tech, the leader in Chia(tm) technology.
Now all we need is for computers to be able to literally self-destruct, short circuit and cause property damage, perhaps burn a house down. That is what it is going to take for people to take security seriously. People don't care if there computer is part of a botnet as long as they can check their emails and look at dancing pandas on YouTube, that will change if they think their computer can explode because of it.
Could you screw with the voltage and thermal thresholds to cause a system to literally self destruct?
The way you say that makes it sound like it's a bad thing...
So, essentially, you're telling me that people who get infected are at risk of losing their PC's data. People unable or unwilling to keep their PCs secure might suffer the consequences thereof themselves instead of only posing a threat to others on the net, through spam, DDoS or spreading more malware.
Care to explain where the negative aspect is?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Has anyone else noticed the degree of sensationalism in /. headings has risen considerably lately?
Finally, home PC security will be taken seriously.
Come on, we know it works like that. Nobody takes the common flu seriously, because most of the time it doesn't hurt much - did you know that the common flu kills many thousands every year? More people died from flu in 2001 in the USA than from the 9/11 terror attacks.
But when swine flu shows up, or bird flu, or whatever this years influenza variant is, that is frontpage news.
Why should computer viruses be any different?
Assorted stuff I do sometimes: Lemuria.org
The things Microsoft will do to make you upgrade to Vista :)
How fucking dare anyone out there make fun of Windows after all it has been through!
It lost its XP, it went through a Vista. It had two fuckin Service Packs.
Its boss turned out to be a user, a cheater, and now it's going through a custody battle. All you people care about isâ¦.. BOTNETS and making money off of her.
ITâ(TM)S A WINDOWS! (ah! ooh!) What you donâ(TM)t realize is that Windows is making you all this money and all you do is write a bunch of crap about it.
LEAVE IT ALONE! You are lucky it even BOOTED for you BASTARDS!
LEAVE WINDOWS ALONE!â¦..Please.
"Tearing itself apart"... bah, what a disappointment. I checked and they can't even make the PC explode. :/
All it does is mess up the OS - the hardware is fine, hardly a 'nuclear option' or 'self-destruct'.
In fact it could prompt someone to install Linux afterwards
Looks like either the majority of slashdotters, or the slashdot servers, self destructed.
Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
viruses are nothing new.
Homer: Nucular... It's pronounced Nucular ...
There's at least one other reason that the botnet holder may have opted to kill it....If he downloaded something that gave him a reason to freak out. Imagine a scenario where you're looking through some stolen data and realize you just picked up information about a government run weapons facility or assassination plans. The dumbest thing you could do is leave tracks, but since that's already been done, you might as well try to destroy your tracks and hope nobody notices.
On a side node, between the semi-bogus slashdot headline and the wildly sensationalized article, which is also misleading on at least a couple of points, there's surprisingly little news here. If more accurate information was in that article, it might be different.
- Nobody would know what RTFA meant if it didn't need to be said all the time
The summary and TFA are rather light on the details I wanted. Here's what you need to know about Zeus:
It's a Trojan that takes over Windows computers. It is being spread through phishing tricks. It is designed to be easy to use, so script kiddies can just pay US$700 to get the Zeus kit and start building botnets to steal data such as credit card numbers.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1310679,00.html
One feature of Zeus is the "kos" command, for "kill operating system". This wipes out the Windows Registry and the OS files. Usually, black hat hackers don't want to kill systems they 0wn, but recently Roman Hüssy saw a whole botnet get the kos command. TFA listed three possible reasons for this: 0) rival black hat hackers might have gained enough control of a botnet to issue the kos command, to deny the botnet to its 0wners; 1) the hackers might have issued the kos command by mistake or due to incompetence; or 2) the hackers issued the kos to cover their tracks, and give them more time to use stolen data.
That last theory makes some sense to me. If the system is still intact, the owner of the system may figure out that his system was 0wned. The kos will wipe out the evidence of Zeus as well as the OS, so all the owner really knows is that Windows really crashed hard this time.
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely
Go home dad, you're drunk.
I am the lawn!
Brings up an interesting question: how, exactly, would you force a computer to actually self-destruct (i.e. become useless) instead of just requiring a restore from backup? Write the CMOS repeatedly til it coughs? Tell the CPU to cease cooling?
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
It's called the Irene Demova virus, right?
The problem is the slashdotters are in an unresolvable emotional deadlock.
Do we cheer for destroying 100000 infested Windows installations, or do rage at the crapware producers who make this possible...
It's the only way to be sure.
To be a bit more serious what I mean by "from orbit" is run everything from some sort of media that the malware never had a chance of touching - preferably a completely different OS on read only media. Then the partitions go and the new ones get formatted before use etc etc.
Of course the above poster knew that even though the victim of the anecdote didn't.
It seems the latest version of the Zeus Trojan...
According to Mactards and Tuxtards, trojans aren't a proper security threat because they require user interaction. Are they only a threat on Windows systems ?
Squirrel!
First of all it removes the trojan from the net. Secondly more important it removes ignorant users from their machines making everyones life more bearable!
This is probably the education many absolutely ignorant users need to keep their systems up to date!
Natoli said he didn't know what the files were or where they were coming from, until being contacted by Security Fix. What he couldn't have known is that Zeus encrypts both the data stolen from infected systems and the configuration files left on servers that tell Zeus-infected systems which bank Web sites the attackers are trying to steal credentials for each day. In either case, the files would appear to anyone without the encryption key to be gibberish-filled files.
Couldn't you get the keys when the attacker connects? or the program is loaded into ram?
IranAir Flight 655 never forget!
100,000 credit card #s, buy 1 or 2 gold coins per card, or 12 silver coins, and ship them somewhere... thats a lot of gold to get.
Liberty freedom are no1, not dicks in suits.
In cases like this , the dialog boxes should have a minimum show time before OK is enabled, there by forcing the user to read, but only for serious dialog boxes.
Again its microsofts fault for not thinking of this feature to be part of all APIs, with one simple parameter. Oh and using a 2x larger red font cannot hurt in the slightlest for serious warnings.
Liberty freedom are no1, not dicks in suits.
Just stop all the fans on cpu and gfx cards.
Use 100% cpu, and tax the GFX core.
Send some hardcore full power commands to all USB devices, or use full IO in usb devices.
Make the HD seek from end to end for as long as possible.
Send power save on / off commands real fast to the LCD until it dies.
Spin the dvdrom up too, or turn on its laser, without a CD in it.
That baby will melt in minutes.
Liberty freedom are no1, not dicks in suits.
Sounds like they're trying to infect all the older wintendo versions out there, nuke them, and force people to upgrade. The things people will do for money...
There's two completely contradictory definitions of "trojan", one refers to the infection method, the other refers to the existence of a backdoor. Apparently different researchers were thinking of different parts of the Trojan Horse myth: tricking the Trojans to bring the horse into the city, or opening a gate to let the Greek army in.
At least we should be glad they haven't decided to use the condom metaphor as well.
It means you go everywhere reeaaaalllllyyy slloooooowllly...
How did that post not get modded +5, Fucking Hilarious?
because it's not that funny. in fact, it's quite lame. once a comment his about +3 anything, idiot moderators will take it up to +5 so that in metamoderation, people will just accept it as a valid moderation and hence bolster the moderator's karma rating more.
So true! I bet you that idiot moderators will overlook your comment and perhaps mod it troll.
hip hip...
The problem is the slashdotters are in an unresolvable emotional deadlock.
Do we cheer for destroying 100000 infested Windows installations, or do rage at the crapware producers who make this possible...
Dude, Obama's in office -- we can have it all.
From the article: ...Roman Hüssy, a 21-year-old Swiss information technology expert, who last month witnessed a collection of more than 100,000 hacked Microsoft Windows systems tearing themselves apart...
Hmmm, I might query the qualification "expert" given that:
Neil
Don't be alarmed. That was a DHS minder who modded you down. WARNING: Sender may hold some views expressly disapproved by the Hon. Janet Napolitano, U.S. Secretary of Homeland Security.
Here, let me fix that for you:
"WARNING: Sender may be deluded into thinking that DHS, Hon. Janet Napolitano, or anyone who doesn't listen to AM Radio cares about his cries of victimization or whether he considers himself part of the "Conservative Underground", "Teabag Set" or has been "Hannitized"."
You are welcome on my lawn.
Cheer that the Windows Malware has escalated to the point that MAYBE, just MAYBE the average joe will pay attention.
Hey, Joe! yeah you! Windows machine can be destroyed by viruses.
Nahhh. I doubt it. These morons will still click on every pop-up and run every attachment sent to them.
"it told me my virus definitions was out of date in a shaking windows box. The computer must have been scared! so I clicked on it!"
Do not look at laser with remaining good eye.
All your base are belong to us!!!
... welcome our new cyber criminal pseudo nuclear not quite self descructable overlords.
-- dnl
Um, old news here... Ramzi is way more advanced than this article, and years ahead as well... http://www.youtube.com/watch?v=Ij6huKsW0Z0
Why give away the fact that you have infected a machine and force a reinstall of that persons windows copy, to then get your malware destroyed or removed , I really see no point in this, except if they were to write a RAM or Boot virus, to come back after a reinstall, there would be no way to get them reinfected again...
Why also blow up a machine and tell that person "hey stupid I got you see..." this will make the person more careful of their actions, thereby lowering the chance for reinfection....really does not make sense.
He said the guy didn't do a very careful install.
I think I'm playing this out in my head and remembering a laptop I used at the last computer company I worked for, before I got fed up with the industry --
No install CD. Get it yet?
How do you do a re-install? There's a partition on the disk dedicated to holding an install image.
Does that clarify things for you?
And, yeah, some MSWindows installers do, in fact, fail to default to a choice to completely re-format the whole disk.
No need for autorun.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Back when wolves used to roam about in Europe and North America, the weakest got selected to be eaten. Same with Lions in Africa, they take the slowest Antelopes. So when someone has their computer break the weakest are taken out and perhaps the people get a clue after it happening. First you may lose some files then you learn to do backup's. The computer being wiped only makes it stronger next round.
-p
Roman Hussy?!?
Normally, that answer comes from parents, and is a code for "I took the batteries out so that damn noise would stop."
Why, without your clothes, you're naked, Miss Dudley!
The only idea I came up with was that it was for destroying evidence.
My new blog
Maybe it's just the cryptoanarchist in me, but could this actually be the work of a good-intentioned gray hat hacker fed up with the botnets polluting the internet and deciding to take matters into his own hands?
I remember the article discussing one of the Conficker variations and how security experts at one firm had an opportunity to take over the botnet, if only temporarily, but chose not to do anything but collect data because attempting to "cure" the infected machines could potentially cause data loss, which the company would be liable for. When I read that, I remember thinking, "Man, where's a vigilante security expert when you need one?"
While I'm sure it would be awful for all those grandmothers and AOL users, I can't help but think the net gain would be worth it. In reinstalling their OS, they'd be much more security-conscious and make it harder for reinfections.
Hey, maybe that's what the economy needs! A massive boost to the IT industry as the unsecured masses get their OSes borked and have to get them fixed and files restored.
All that aside, I'm thinking this is probably an example of Hanlon's Razor.
For me the [x] means "Don't even ask"
I hate the messages "do you want me to ____ [ YES ] [ NO ] [ NOT NOW ]"
I want to say "Don't ever ask me about _____ (or anything else) ever again, just stop talking to me, you wretched machine"
INFO, WARNING, ALERT message types we're really clever when they were invented. Now they are hatesome (to coin a word).
Now wonder we have a selection of non modal notice dispay-libraries these days, producing a wonderful waterfall-like cascade of notices that we can ignore.
Soon there will be a waterfall theme so we don't have to ignore them.
blog.sam.liddicott.com
The lady doth protest too much, methinks...
for the lack of proper install CDs. Apparently they thought it was a copyright infringement vector.
Does the PC actually explode? or just the OS is corrupted beyond repair
all of the analysis of hacker standard operating procedure is they want to maximize their power or their financial gain. this is in fact the motivation for 99% of people who commit any crime in this world
however, there is a small subset of criminal in this world who does what he does for only one reason: he just desires destruction out of pure teenaged nihilistic impulse: why throw rocks at windows? just to hear the glass break. there is no leverage over such a person, nor logical analysis of their motivation. and they will eventually get their hands on a botnet someday, and execute the "nuclear option" out of simple glee. as long as they don't get their hands on a real nuke i suppose
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
if JJ Abrams told you to rip your flesh from your bones, i think the slashdot crowd would be mostly skeletons
"Do we cheer for destroying 100000 infested Windows installations, or do rage at the crapware producers who make this possible..."
Those responses are not mutually exclusive.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Looks like the "fairly massive" DDoS attacks mentioned in the article has carried through. At least, abuse.ch is down.
I'd say you're right, considering that a disturbingly large percentage of Windows users I know think that their monitor is the "computer" and the mini-tower is "the hard drive." Even after I've explained it 100 times. They just look at me like, "yeah, right, Mr. Know-it-all!"
:q!
there's always the good ol' phone book and a payphone).
.. you'll have some adjusting to do, starting with the general lack of payphones.
//seriously, I can't recall the last time I saw one.
Roman Hussy was arrested attempting to charge the same users $50 an hour for 40 hours worth of work to "fix the system while recovering all the data."
How many seconds would you hesitate before you pressed it?
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
ROFLMAO +5d12
Having to work for a living is the root of all evil.
Back about 10 years ago, a friend of mine once told me (and he probably lied...) of some instruction in Intel chips that is capable of frying motherboard or hard-drive or video-card or whatever, basically killing hardware. It was a common urban legend. Since then I learned more about computers and don't quite think it is possible to accomplish this feat, although would like to ask my fellow slashdotters: Is this possible, for a software to destroy the computer hardware? If yes, what mechanisms are possible to do that?
I predict a very close future where netizens contribute paypal micropayments toward the violent extermination of virus and trojan writers and users.
This will only be challenged by those who infiltrate their circles and do it for fun as a public service as is beginning now.
It may be a dark thought but,imagine the rush of hearing your hammer click back as you nuzzle the ear of mr.blackhat who is transferring all his assets to your favorite charities account. Then a quick upload of a pic of his freshly brain painted desk and remains to his old credit card numbers site with the message "Who's Next?"
Gawd, it makes me think of Christmas. Prolly the only ones pushing for prosecution would be businesses like creditreport.coms who profit from live rather than dead cockroaches.
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
It doesn't self destruct, you could still install Linux or Free BSD.
Self destruct means destruction, not a trojan disabling an other one (windows in this case)
That would only be broken if you couldn't get at the battery. Bring a battery and throw it at them. After the Singularity, we'll have better batteries.
This feature has been in it for like forever. I am seriously disappointed how long it took for security "experts" to discover this.
This is from the readme (translated via google):
"kos - incapacitate OS, namely grip branches HKEY_CURRENT_USER registry and / or HKEY_LOCAL_MACHINE. If you have sufficient privileges - fly to "blue screen", in other cases creates the brakes. Following these steps, loading OS will not be possible!"
Although I've heard the tower referred to as 'the hard drive', more often I seem to get people calling it 'the CPU'. I've stopped trying to correct people, but it still makes me cringe or have a confused brain freeze-up when somebody's case fan is going bad and they say that their hard drive or their CPU is making a funny noise ("Are you sure it's the CPU? Because...I don't, um, think that's...er.... Nevermind. I'll just come take a look at it.")
Unpleasantries.
But try telling that to Roman Hüssy, a 21-year-old Swiss information technology expert,
21-years old isn't old enough to be an expert at anything, unless he was some sort of child prodigy.
That's incest you freak!
Not a good thing at all.
Is that what you're trying to say?
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Oh wait.. That was WGA
Reasonable assumptions about the state of the machine in question?
If the OS has been back-doored, assume that (there is a non-zero possiblity that) anything bad that the system code can do has been done. If the system code can "refresh" the BIOS, assume that the BIOS itself has been "refreshed" with a "new" BIOS your friend doesn't really want.
(The only way I'd trust the BIOS after the OS has been holed, is if there were a physical strap that ties the write signal to the BIOS flash RAM inactive. And not just a flag jumper, it must physical block writes to be safe. If the jumper can be overridden in software, you're not safe assuming it hasn't been. Or, if the BIOS is an actual ROM, so that it can't be flashed, period, then it might be trusted.)
If there is a restore partition, of course you must assume that there is a trojan and/or a back-doored OS in it, hidden in several places, so that even if you find one and remove it, one of the others will kick in and restore the backdoor.
I'd probably want to be very careful about the data on the computer. It's quite possible some video or sound file or such has malware hidden in it. Oh, and MSOffice documents and PDFs and ... .
I think the first thing I'd do is get the friend to get a Mac. Or get a new PC and install (maybe dual-boot) Linux on it. Get your friend used to using non-MS stuff.
Before you use the pwn3ed PC or the data that was on it again, clean both the BIOS and the internal disk(s).
Pull out the disk(s) of the pwn3d PC.
Download, if you can, a clean BIOS from the motherboard manufacturer, and re-flash the BIOS. (If you have a dual BIOS, you'll need to check that the inactive BIOS can't be "updated" by the OS.) If you can't, go get a free software BIOS and flash the BIOS with that, instead.
If you decide to buy new disks, don't install them until the BIOS has been cleaned.
From there, if you have an install CD for MSWindows, that is not a copy of the restore partition that somebody burned for back (after being possibly infected back before anyone noticed), you can install from that if you still have the stomach for it.
But I think, just to really be sure the malware gets walked on, I would install Ubuntu on it anyway. Default to using the whole disk, and select the option to manually check the partitions after it auto-partitions. Make sure the install will erase all the base partitions.
After installing Ubuntu (or maybe freeBSD or Fedora or openBSD, whatever) and kicking the tires, you can use the *nix OS to make sure no partitions are still hiding, and you can make sure the partition you think should be marked to boot is the one that really is marked to boot.
And then you can re-install MSWindows, if your friend really has the stomach for the risk. Of course, before you let him use it, you need to apply all the service packs and updates and load on an anti-virus/anti-malware purchased from a reputable company through a reputable store.
Then and only then, I'd let your friend start using that machine again.
The reason for buying a new machine? He needs to go around and log into all his on-line services and change passwords, and probably do so as soon as he can. And he really should only do that on a clean computer that he owns.
Oh, and make sure he doesn't re-use any passwords, whether on-line or for the computer itself. Maybe help him generate near-random passwords longer than 13 characters.
Now, that data. If your friend can be prevailed on to switch, and never use Microsoft software again, the data should be fairly safe. If not, he must prepare the OS to not mount autoexec before he mounts the disk to scan it. I'd suggest a USB-to-ATA converter to allow the thing to be hot mounted, but, then again, some versions of MSWindows will try to autoexec USB devices anyway, so you need to watch that. I think I'd go to the trouble of mounting a known-safe drive on the converter to test that it can be safely mounted, first.
Then I'd let the ant
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
The problem is the slashdotters are in an unresolvable emotional deadlock.
Do we cheer for destroying 100000 infested Windows installations, or do rage at the crapware producers who make this possible...
I cheer to 100000 ignorant users who give a shit about keeping their machine up to date and making everyones life miserable by spreading other trojans finally being removed from the net!