Slashdot Mirror
When Hacked PCs Self-Destruct
An anonymous reader writes "From The Washington Post's Security Fix blog comes a tale that should make any Windows home user or system admin cringe. It seems the latest version of the Zeus Trojan ships with a command that will tell all infected systems to self-destruct. From the piece: 'Most security experts will tell you that while this so-called "nuclear option" is an available feature in some malware, it is hardly ever used. Disabling infected systems is counterproductive for attackers, who generally focus on hoovering as much personal and financial data as they can from the PCs they control. But try telling that to Roman Hüssy, a 21-year-old Swiss information technology expert, who last month witnessed a collection of more than 100,000 hacked Microsoft Windows systems tearing themselves apart at the command of their cyber criminal overlords.'"
It looks like slashdot was taken down by the self destruct too!
Hackers can turn your home computer INTO A BOMB
All versions of windows are affected by this self-destruct bug,
BY DEFAULT!!!!
There are many series of commands that can make your machine unwillingly self destruct...
All it does is mess up the OS - the hardware is fine, hardly a 'nuclear option' or 'self-destruct'.
I want a list of atrocities done in your name - Recoil
this could actually be a good thing if it happens.
This is mostly speculation so take with as much salt as you think it needs.
Historically, there's not been an obvious connection in the mind of a user whose PC has been hacked with there being a serious problem with this. After all, most home users are probably unaware that their computer is participating in a huge DDOS attack in the first place, and ISPs have been very reluctant to police their customers.
I don't think credit card fraud through keyloggers is anywhere near prevalent enough to make people take notice either. Let's face it, a trojan which installs a keylogger and reports anything which looks like credit card details back to a known location is going to produce more valid credit card details in the space of a couple of weeks than most people could hope to use in a lifetime of fraud so even if your card details are stolen this way, I'm not sure there's a huge chance they'll ever be used.
But if the trojan hoses the host PC along with all the family photographs and all the music they've paid good money for - ah, now that might actually make people realise that there's a problem.
The next "I'm a PC, I'm a Mac" commercial is gonna rule!
Mac: Umm... PC.... why are you stabbing yourself repeatedly with that pen...
Georgia Tech, the leader in Chia(tm) technology.
Could you screw with the voltage and thermal thresholds to cause a system to literally self destruct?
The way you say that makes it sound like it's a bad thing...
So, essentially, you're telling me that people who get infected are at risk of losing their PC's data. People unable or unwilling to keep their PCs secure might suffer the consequences thereof themselves instead of only posing a threat to others on the net, through spam, DDoS or spreading more malware.
Care to explain where the negative aspect is?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Finally, home PC security will be taken seriously.
Come on, we know it works like that. Nobody takes the common flu seriously, because most of the time it doesn't hurt much - did you know that the common flu kills many thousands every year? More people died from flu in 2001 in the USA than from the 9/11 terror attacks.
But when swine flu shows up, or bird flu, or whatever this years influenza variant is, that is frontpage news.
Why should computer viruses be any different?
Assorted stuff I do sometimes: Lemuria.org
The things Microsoft will do to make you upgrade to Vista :)
Looks like either the majority of slashdotters, or the slashdot servers, self destructed.
Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
There's at least one other reason that the botnet holder may have opted to kill it....If he downloaded something that gave him a reason to freak out. Imagine a scenario where you're looking through some stolen data and realize you just picked up information about a government run weapons facility or assassination plans. The dumbest thing you could do is leave tracks, but since that's already been done, you might as well try to destroy your tracks and hope nobody notices.
On a side node, between the semi-bogus slashdot headline and the wildly sensationalized article, which is also misleading on at least a couple of points, there's surprisingly little news here. If more accurate information was in that article, it might be different.
- Nobody would know what RTFA meant if it didn't need to be said all the time
The summary and TFA are rather light on the details I wanted. Here's what you need to know about Zeus:
It's a Trojan that takes over Windows computers. It is being spread through phishing tricks. It is designed to be easy to use, so script kiddies can just pay US$700 to get the Zeus kit and start building botnets to steal data such as credit card numbers.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1310679,00.html
One feature of Zeus is the "kos" command, for "kill operating system". This wipes out the Windows Registry and the OS files. Usually, black hat hackers don't want to kill systems they 0wn, but recently Roman Hüssy saw a whole botnet get the kos command. TFA listed three possible reasons for this: 0) rival black hat hackers might have gained enough control of a botnet to issue the kos command, to deny the botnet to its 0wners; 1) the hackers might have issued the kos command by mistake or due to incompetence; or 2) the hackers issued the kos to cover their tracks, and give them more time to use stolen data.
That last theory makes some sense to me. If the system is still intact, the owner of the system may figure out that his system was 0wned. The kos will wipe out the evidence of Zeus as well as the OS, so all the owner really knows is that Windows really crashed hard this time.
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely
Go home dad, you're drunk.
I am the lawn!
The problem is the slashdotters are in an unresolvable emotional deadlock.
Do we cheer for destroying 100000 infested Windows installations, or do rage at the crapware producers who make this possible...
The Commodore PET was one box with integrated monitor and processor, and the monitor focus could be adjusted in software. It was possible to reduce the scan of the CRT to just the centre of the monitor, which (I am told) burnt a dead area in the middle of the monitor fairly quickly.
Wouldn't meet the "useless" measure, but would be very annoying and permanent physical damage. (You could probably mess up the disk head alignment pretty badly too, but that can be fixed.)
Of course. MS Windows security is like her underwear. Even when it is on it is excessively complicated, doesn't cover much and is very easy to remove.
It means you go everywhere reeaaaalllllyyy slloooooowllly...
The problem is the slashdotters are in an unresolvable emotional deadlock.
Do we cheer for destroying 100000 infested Windows installations, or do rage at the crapware producers who make this possible...
Dude, Obama's in office -- we can have it all.
I beg to differ, given the example in the same post you just replied to. Anything that registers to *read* a file in Explorer can spawn *real* processes (i.e. full copies of Adobe Reader) in the background in order to extract... the Author, Title, maybe a thumbnail.
I would call that "without your knowledge" (I don't remember seeing a security popup for that, even with non-privileged executables), "beyond reasonable means of disabling such facilities" (without uninstalling the entire damn program, or fiddling with associations by hand, and even they're just guesswork to what it actually would do) and "automatic" (I don't remember ever seeing *anything* tell me that it would be loading up every time I hover over a file in explorer). I'd add "out of your control" if you're a non-techy user, which is who Windows is *designed* for.
Additionally, this is STILL where 99% of viruses are coming from and the methods they using to propogate. Don't kid yourself that you'll *always* get a popup for these things, even with UAC. It's just NOT true. There are an unbelievable number of things running all the time that you have so little control over, they are effectively automatic and unstoppable to the vast majority of users. Hell, most users can't even stop LEGITIMATE apps like Quicktime, Realplayer, Java, etc. from running on startup and putting themselves in the taskbar without cancelling the setup entirely. It's up to the *application* to provide that interface most of the time, with a handful of registry locations / undocumented programs for the experienced user.
So you have two options. Never install software on Windows (might as well be running Linux, then!) or install software which puts itself into places you stand little-to-no hope of ever finding out / removing / undoing.
Install fresh machine. Put to latest patch level. Tell user to click everything they find online (but never "Yes" to a security dialog), insert every USB flash device they ever come across into it. Do you think they'll last a week before it blows up in their face? Do you think they can still get *anything* done?
(I'll tell you now, my non-Windows machines pass that test quite, quite flawlessly... Mac is the closest to having problems in that regard)
Install fresh machine. Put to latest patch level. Install bunch of commonly used programs from trusted sources in order to be able to run most websites, most programs out there. Don't install anything else. How much CRAP is in your taskbar that you can't *easily* get rid of without running the program in question and relying on there being a "don't run on startup" option? THIS IS A CONSUMER OS. Doing something *simple* like accidentally installing one antivirus program while another is running will bring a Windows machine to a complete, unusable halt (I've even dealt with bluescreens because of that exact situation) out of which the user has little hope of recovering without professional help.
Operating systems have two choices: Expect arbitrary executables, and cover your arse as much as you can so that the *user* is always in control. Or forbid arbitrary executables.
The second one is what businesses, governments, and the military should be using. Everyone else needs *real* uninstall, proper program sandboxing, a "Task Manager" that cannot be intercepted or delayed no matter what the computer is doing, the facility to bypass, turn off, or otherwise disable ANY change that's made to the system without having to know what that was. (i.e. a "Last Known Good Configuration" that includes only the software installed at that time).
It really comes to something when I can spend an hour waiting for a PC to load because the user has filled it up with (non-damaging) cruft on their own accounts and it take *literally* hours to fix, even in "Safe Mode". Too much opportunity for crap, not enough control.
Cheer that the Windows Malware has escalated to the point that MAYBE, just MAYBE the average joe will pay attention.
Hey, Joe! yeah you! Windows machine can be destroyed by viruses.
Nahhh. I doubt it. These morons will still click on every pop-up and run every attachment sent to them.
"it told me my virus definitions was out of date in a shaking windows box. The computer must have been scared! so I clicked on it!"
Do not look at laser with remaining good eye.
Define bloat. Hard disc space? Not at all. RAM? Not at all. Executable size? Not at all.
It would only need a tiny program capable of reading PCI id's and program names, maybe even Windows patch levels, a hashing algorithm and a built-in P2P facility. It would be *smaller* than most viruses which tend to be written in bloat-ridden languages like VB. A megabyte of executable means *nothing* anymore and you can barely see it transfer/run. I've seen 20-50Mb installers for single files, for God's sake.
Everything else would be stored on a P2P network (like Conficker does), for which the virus itself could easily suck a hundred megs or so of temporary disk space from every infected machine with nobody noticing. The rest is downloaded on an as-needed basis by the virus, based on the hashes of the programs it sees running and the hardware it sees installed. It downloads *just* those exploit modules (which, being modular, need do nothing more than compromise the program/hardware required and return administrative control to the original virus). It would come with, say, one built-in compromise which it uses to get into machines and once on-board distributes multiple versions of itself (possibly with a *different*, random built-in compromise in each one, so that it becomes autonomously updating and spreading).
Want to take advantage of a new vulnerability? Release a signed, hashed file onto the P2P network and watch it explode on millions of existing and new machines. Those machines already infected will pick up the new file and create derivatives for you, or use it to gain admin privileges if the machine they are on has the right hardware/software combination. For additional resiliency, have it track which are the most common types of successful infections over time and bias it's "generator" towards those (remember when virus meant "self-replicating"?). That way "new" compromises get more of a workout, and "successful" compromises are the mass that keep the rest of the swarm ticking over.
Get an assembler programmer to do it for you and you could do it in *literally* kilobytes by taking advantage of internal Windows libraries. Do it in VB or some large language and have it in under a Meg. You can't even *see* the loading time for a 1Mb executable any more, unless it's off a floppy or something.
Normally, that answer comes from parents, and is a code for "I took the batteries out so that damn noise would stop."
Why, without your clothes, you're naked, Miss Dudley!