Slashdot Mirror
When Hacked PCs Self-Destruct
An anonymous reader writes "From The Washington Post's Security Fix blog comes a tale that should make any Windows home user or system admin cringe. It seems the latest version of the Zeus Trojan ships with a command that will tell all infected systems to self-destruct. From the piece: 'Most security experts will tell you that while this so-called "nuclear option" is an available feature in some malware, it is hardly ever used. Disabling infected systems is counterproductive for attackers, who generally focus on hoovering as much personal and financial data as they can from the PCs they control. But try telling that to Roman Hüssy, a 21-year-old Swiss information technology expert, who last month witnessed a collection of more than 100,000 hacked Microsoft Windows systems tearing themselves apart at the command of their cyber criminal overlords.'"
It looks like slashdot was taken down by the self destruct too!
Hackers can turn your home computer INTO A BOMB
All versions of windows are affected by this self-destruct bug,
BY DEFAULT!!!!
There are many series of commands that can make your machine unwillingly self destruct...
All it does is mess up the OS - the hardware is fine, hardly a 'nuclear option' or 'self-destruct'.
I want a list of atrocities done in your name - Recoil
this could actually be a good thing if it happens.
This is mostly speculation so take with as much salt as you think it needs.
Historically, there's not been an obvious connection in the mind of a user whose PC has been hacked with there being a serious problem with this. After all, most home users are probably unaware that their computer is participating in a huge DDOS attack in the first place, and ISPs have been very reluctant to police their customers.
I don't think credit card fraud through keyloggers is anywhere near prevalent enough to make people take notice either. Let's face it, a trojan which installs a keylogger and reports anything which looks like credit card details back to a known location is going to produce more valid credit card details in the space of a couple of weeks than most people could hope to use in a lifetime of fraud so even if your card details are stolen this way, I'm not sure there's a huge chance they'll ever be used.
But if the trojan hoses the host PC along with all the family photographs and all the music they've paid good money for - ah, now that might actually make people realise that there's a problem.
The next "I'm a PC, I'm a Mac" commercial is gonna rule!
Mac: Umm... PC.... why are you stabbing yourself repeatedly with that pen...
Georgia Tech, the leader in Chia(tm) technology.
Could you screw with the voltage and thermal thresholds to cause a system to literally self destruct?
The way you say that makes it sound like it's a bad thing...
So, essentially, you're telling me that people who get infected are at risk of losing their PC's data. People unable or unwilling to keep their PCs secure might suffer the consequences thereof themselves instead of only posing a threat to others on the net, through spam, DDoS or spreading more malware.
Care to explain where the negative aspect is?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Has anyone else noticed the degree of sensationalism in /. headings has risen considerably lately?
Finally, home PC security will be taken seriously.
Come on, we know it works like that. Nobody takes the common flu seriously, because most of the time it doesn't hurt much - did you know that the common flu kills many thousands every year? More people died from flu in 2001 in the USA than from the 9/11 terror attacks.
But when swine flu shows up, or bird flu, or whatever this years influenza variant is, that is frontpage news.
Why should computer viruses be any different?
Assorted stuff I do sometimes: Lemuria.org
The things Microsoft will do to make you upgrade to Vista :)
All it does is mess up the OS - the hardware is fine, hardly a 'nuclear option' or 'self-destruct'.
In fact it could prompt someone to install Linux afterwards
Looks like either the majority of slashdotters, or the slashdot servers, self destructed.
Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
There's at least one other reason that the botnet holder may have opted to kill it....If he downloaded something that gave him a reason to freak out. Imagine a scenario where you're looking through some stolen data and realize you just picked up information about a government run weapons facility or assassination plans. The dumbest thing you could do is leave tracks, but since that's already been done, you might as well try to destroy your tracks and hope nobody notices.
On a side node, between the semi-bogus slashdot headline and the wildly sensationalized article, which is also misleading on at least a couple of points, there's surprisingly little news here. If more accurate information was in that article, it might be different.
- Nobody would know what RTFA meant if it didn't need to be said all the time
The summary and TFA are rather light on the details I wanted. Here's what you need to know about Zeus:
It's a Trojan that takes over Windows computers. It is being spread through phishing tricks. It is designed to be easy to use, so script kiddies can just pay US$700 to get the Zeus kit and start building botnets to steal data such as credit card numbers.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1310679,00.html
One feature of Zeus is the "kos" command, for "kill operating system". This wipes out the Windows Registry and the OS files. Usually, black hat hackers don't want to kill systems they 0wn, but recently Roman Hüssy saw a whole botnet get the kos command. TFA listed three possible reasons for this: 0) rival black hat hackers might have gained enough control of a botnet to issue the kos command, to deny the botnet to its 0wners; 1) the hackers might have issued the kos command by mistake or due to incompetence; or 2) the hackers issued the kos to cover their tracks, and give them more time to use stolen data.
That last theory makes some sense to me. If the system is still intact, the owner of the system may figure out that his system was 0wned. The kos will wipe out the evidence of Zeus as well as the OS, so all the owner really knows is that Windows really crashed hard this time.
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely
Go home dad, you're drunk.
I am the lawn!
The problem is the slashdotters are in an unresolvable emotional deadlock.
Do we cheer for destroying 100000 infested Windows installations, or do rage at the crapware producers who make this possible...
The Commodore PET was one box with integrated monitor and processor, and the monitor focus could be adjusted in software. It was possible to reduce the scan of the CRT to just the centre of the monitor, which (I am told) burnt a dead area in the middle of the monitor fairly quickly.
Wouldn't meet the "useless" measure, but would be very annoying and permanent physical damage. (You could probably mess up the disk head alignment pretty badly too, but that can be fixed.)
It's the only way to be sure.
To be a bit more serious what I mean by "from orbit" is run everything from some sort of media that the malware never had a chance of touching - preferably a completely different OS on read only media. Then the partitions go and the new ones get formatted before use etc etc.
Of course the above poster knew that even though the victim of the anecdote didn't.
Of course. MS Windows security is like her underwear. Even when it is on it is excessively complicated, doesn't cover much and is very easy to remove.
Just stop all the fans on cpu and gfx cards.
Use 100% cpu, and tax the GFX core.
Send some hardcore full power commands to all USB devices, or use full IO in usb devices.
Make the HD seek from end to end for as long as possible.
Send power save on / off commands real fast to the LCD until it dies.
Spin the dvdrom up too, or turn on its laser, without a CD in it.
That baby will melt in minutes.
Liberty freedom are no1, not dicks in suits.
It means you go everywhere reeaaaalllllyyy slloooooowllly...
I've said for years - viruses are boring nowadays. There's so much *potential* for a really well-written, modular virus to wreak worldwide havoc but nobody's done it. Imagine a virus that inspects local hardware/software and downloads a set of hashed filenames for that data, each of which attacks that specific element of the computer and is updated regularly. E.g. it spots that you have a processor with an old errata bug, downloads the module for it (anonymous P2P) and uses that to gain admin privileges, or it sees a new update to McAffee and the download requests for that hash spark the original author (or a random strangers) interest and they write a new module to counteract whatever workaround has been put in place which *all* machines instantly start benefitting from.
In terms of permanent hardware damage:
Overwriting the HPA's on the disk drive? That could cause some fun.
Bad flash (hard to do with BIOS, and BIOS options to prevent it) - anything with firmware on basically - e.g. RAID cards, USB devices, even network routers!
Using weaknesses in hardware configurations (e.g. the IBM Thinkpad's that could be bricked by a perfectly valid, but unexpected, I2C write to one of their EEPROM chips - beyond non-IBM repair, I might add). Writing infinitely to Flash drives (would you notice a small process that starts 10 secs after you insert a USB drive and just reads and rewrites every block of data for ever?) or SSD's. Even Ubuntu nearly trashed people's drives by accident by repeatedly spinning them down and back up and making the SMART data go through the roof.
Using weaknesses in hardware *control* (e.g. overclocking everything, temperature monitoring, fan control, etc. but it's harder to damage a chip permanently nowadays because they are designed to slowdown/shutoff under extreme conditions - you'd almost certainly be able to cause an extreme nuisance, though).
Possibly (although this is *unlikely*) trying to do things like create power surges on the buses by repeatedly activating and shutting down hardware with various timings while watching the voltages on the lines, to see if you can cause an overload. I think that spinning disks/CD's + spinning fans + various heavy-duty CPU/GPU work etc. might well be able to take out some of the cheaper power supplies in a lot of machines.
Even things like setting the BIOS to boot from PXE first, then ZIP, then floppy, then CDROM would be enough to flummox 99% of users who would think that their machine had broken because it doesn't get into Windows, etc.
The most interesting concept to me would be to take out other hardware - maybe flash a printer with all 1's, or re-flash the local ADSL router or similar. So much stuff has firmware nowadays that it shouldn't be too difficult to wreak some havoc with just a big database of MAC's/ports/firmware specifications for some of the more popular types. Imagine a virus that (on discovering attempts to remove it) not only takes out your computer, but bad-flashes your printers, network hardware and iPod first! That'd make you think twice about automated anti-virus software or manual cleanup instead of just "reformat, reinstall".
hip hip...
The problem is the slashdotters are in an unresolvable emotional deadlock.
Do we cheer for destroying 100000 infested Windows installations, or do rage at the crapware producers who make this possible...
Dude, Obama's in office -- we can have it all.
I beg to differ, given the example in the same post you just replied to. Anything that registers to *read* a file in Explorer can spawn *real* processes (i.e. full copies of Adobe Reader) in the background in order to extract... the Author, Title, maybe a thumbnail.
I would call that "without your knowledge" (I don't remember seeing a security popup for that, even with non-privileged executables), "beyond reasonable means of disabling such facilities" (without uninstalling the entire damn program, or fiddling with associations by hand, and even they're just guesswork to what it actually would do) and "automatic" (I don't remember ever seeing *anything* tell me that it would be loading up every time I hover over a file in explorer). I'd add "out of your control" if you're a non-techy user, which is who Windows is *designed* for.
Additionally, this is STILL where 99% of viruses are coming from and the methods they using to propogate. Don't kid yourself that you'll *always* get a popup for these things, even with UAC. It's just NOT true. There are an unbelievable number of things running all the time that you have so little control over, they are effectively automatic and unstoppable to the vast majority of users. Hell, most users can't even stop LEGITIMATE apps like Quicktime, Realplayer, Java, etc. from running on startup and putting themselves in the taskbar without cancelling the setup entirely. It's up to the *application* to provide that interface most of the time, with a handful of registry locations / undocumented programs for the experienced user.
So you have two options. Never install software on Windows (might as well be running Linux, then!) or install software which puts itself into places you stand little-to-no hope of ever finding out / removing / undoing.
Install fresh machine. Put to latest patch level. Tell user to click everything they find online (but never "Yes" to a security dialog), insert every USB flash device they ever come across into it. Do you think they'll last a week before it blows up in their face? Do you think they can still get *anything* done?
(I'll tell you now, my non-Windows machines pass that test quite, quite flawlessly... Mac is the closest to having problems in that regard)
Install fresh machine. Put to latest patch level. Install bunch of commonly used programs from trusted sources in order to be able to run most websites, most programs out there. Don't install anything else. How much CRAP is in your taskbar that you can't *easily* get rid of without running the program in question and relying on there being a "don't run on startup" option? THIS IS A CONSUMER OS. Doing something *simple* like accidentally installing one antivirus program while another is running will bring a Windows machine to a complete, unusable halt (I've even dealt with bluescreens because of that exact situation) out of which the user has little hope of recovering without professional help.
Operating systems have two choices: Expect arbitrary executables, and cover your arse as much as you can so that the *user* is always in control. Or forbid arbitrary executables.
The second one is what businesses, governments, and the military should be using. Everyone else needs *real* uninstall, proper program sandboxing, a "Task Manager" that cannot be intercepted or delayed no matter what the computer is doing, the facility to bypass, turn off, or otherwise disable ANY change that's made to the system without having to know what that was. (i.e. a "Last Known Good Configuration" that includes only the software installed at that time).
It really comes to something when I can spend an hour waiting for a PC to load because the user has filled it up with (non-damaging) cruft on their own accounts and it take *literally* hours to fix, even in "Safe Mode". Too much opportunity for crap, not enough control.
Cheer that the Windows Malware has escalated to the point that MAYBE, just MAYBE the average joe will pay attention.
Hey, Joe! yeah you! Windows machine can be destroyed by viruses.
Nahhh. I doubt it. These morons will still click on every pop-up and run every attachment sent to them.
"it told me my virus definitions was out of date in a shaking windows box. The computer must have been scared! so I clicked on it!"
Do not look at laser with remaining good eye.
Define bloat. Hard disc space? Not at all. RAM? Not at all. Executable size? Not at all.
It would only need a tiny program capable of reading PCI id's and program names, maybe even Windows patch levels, a hashing algorithm and a built-in P2P facility. It would be *smaller* than most viruses which tend to be written in bloat-ridden languages like VB. A megabyte of executable means *nothing* anymore and you can barely see it transfer/run. I've seen 20-50Mb installers for single files, for God's sake.
Everything else would be stored on a P2P network (like Conficker does), for which the virus itself could easily suck a hundred megs or so of temporary disk space from every infected machine with nobody noticing. The rest is downloaded on an as-needed basis by the virus, based on the hashes of the programs it sees running and the hardware it sees installed. It downloads *just* those exploit modules (which, being modular, need do nothing more than compromise the program/hardware required and return administrative control to the original virus). It would come with, say, one built-in compromise which it uses to get into machines and once on-board distributes multiple versions of itself (possibly with a *different*, random built-in compromise in each one, so that it becomes autonomously updating and spreading).
Want to take advantage of a new vulnerability? Release a signed, hashed file onto the P2P network and watch it explode on millions of existing and new machines. Those machines already infected will pick up the new file and create derivatives for you, or use it to gain admin privileges if the machine they are on has the right hardware/software combination. For additional resiliency, have it track which are the most common types of successful infections over time and bias it's "generator" towards those (remember when virus meant "self-replicating"?). That way "new" compromises get more of a workout, and "successful" compromises are the mass that keep the rest of the swarm ticking over.
Get an assembler programmer to do it for you and you could do it in *literally* kilobytes by taking advantage of internal Windows libraries. Do it in VB or some large language and have it in under a Meg. You can't even *see* the loading time for a 1Mb executable any more, unless it's off a floppy or something.
Normally, that answer comes from parents, and is a code for "I took the batteries out so that damn noise would stop."
Why, without your clothes, you're naked, Miss Dudley!
I'd say you're right, considering that a disturbingly large percentage of Windows users I know think that their monitor is the "computer" and the mini-tower is "the hard drive." Even after I've explained it 100 times. They just look at me like, "yeah, right, Mr. Know-it-all!"
:q!
There was a virus for the Amiga that executed the HCF instruction (jokingly dubbed 'halt and catch fire') which could cause the amiga to overheat and fry - This did not have a 100% success rate.
There was also another old virus, being for Windows that told the system to turn of the CPU fan, which caused older AMD processors to fry almost a minute after.
Unfortunately, I can't remember the names of either viruses. But! I know of CIH, also known as Chernobyl or Spacefiller which did have a tendency to corrupt the BIOS on some effected systems, bricking them.
Change is certain; progress is not obligatory.