New Russian Botnet Tries To Kill Rivals

alphadogg writes "An upstart Trojan horse program has decided to take on its much-larger rival by stealing data and then removing the malicious program from infected computers. Security researchers say that the relatively unknown Spy Eye toolkit added this functionality just a few days ago in a bid to displace its larger rival, known as Zeus. The feature, called "Kill Zeus," apparently removes the Zeus software from the victim's PC, giving Spy Eye exclusive access to usernames and passwords. Zeus and Spy Eye are both Trojan-making toolkits, designed to give criminals an easy way to set up their own "botnet" networks of password-stealing programs. These programs emerged as a major problem in 2009, with the FBI estimating last October that they have caused $100 million in losses."

Why is this news?

Trojans, worms and viruses have been eliminating rivals for a long time. It's all part of the strategy to avoid being detected. The slower a system gets and the more unwanted traffic it generates, the more likely it will be analyzed in depth, and that's not good for the bot net.

Apparently we've decided to go the "natural" route in software security: Instead of making software which cannot be compromised, we do a "good enough" job with software quality and then fight infections with some kind of immune system. IMHO this is the root of the problem. Computers are not highly redundant systems like biological systems. We really ought to create software which is safe by design.

Re:Why is this news?

[Conchobair]

I think there is a guy that just goes around from article to article asking "Why is this news?" on each of them.

If it was a local report about a murder, he'd show up and say "Why is this news? People have been getting murdered for several years now." Or if if was a report on a politicians speech, he'd say, "Why is this news? Politicians have been telling us lies for years and years now."

Re:Why is this news?

[conspirator57]

but doing it the right way front loads cost on the company that builds the correct system and places them at a competitive disadvantage with respect to shoddy software firms, say for example Microsoft and Apple.

besides, there is secure by design software. It just lacks features which makes it less competitive. Alternatively you can put a feature-rich OS on top of it, but then you've compartmentalized the problem, not eliminated it. Plus it's damned expensive. http://www.ghs.com/products/rtos/integrity_virtualization.html

Myself, I like freeBSD as a compromise. It's not provably correct, but it's 2-3 known exploitable bugs in 10+ years are a good empirical indication of security. And it's free.

Re:Why is this news?

[Imrik]

Why is this postworthy? People have been asking "Why is this news?" for years now.

Re:Why is this news?

[flyneye]

Because the enemy of my enemy is my friend...wait.. the enemy of my enemy is my..the enemy of my friend...oh forget it. How about an antivirus worm that searches them all out and hoses them down like a hot bath of p*ss till there is no point to the black hat vocation.

Re:Why is this news?

[Opportunist]

Not possible.

Why? Because the core problem with system security is no longer the technical side. Systems (yes, even Windows) are by now mostly secure. Of course, there's always the odd security hole and some even get used, but they don't represent the majority of entry points anymore, not by a longshot. Over 90% of the infections (source not available due to NDA) are due to what I endearingly call "user stupidity". See Dancing pigs problem of computer security for reference.

That is something you can not sensibly protect against, no matter how you create your product, unless you do not allow the owner of a computer to execute code he wants to run. And that's something I would not agree with under any circumstances, since it would mean that someone else gets to dictate what I can and what I cannot do with a machine I bought and own.

And I am fairly sure the majority of people here would easily identify the problem with that.

OTOH, if people may do what they want with their machine you can NOT protect them against an infection. You can of course inform them whenever something wants undue privileges, but eventually they will be the ones deciding what privileges they want to grant. And it's easy to trick people into granting more privileges than necessary. People are used to mere games requiring administrator privileges in Windows. If for nothing else, then to install their DRM device drivers. Imagine they got some "crack" for Windows that claims to turn their copy into a fully registered, legal copy. Will they grant access to manipulate core system files, even if they are able to understand the information provided? Of course they will, because after all that's what the program promises.

Now imagine Joe Randomuser with just enough clue to hit the right button on the machine to turn it on without blowing it up getting the information that Shlabberdup.exe wants access to the thingamajig privileges, allow or deny? Joe learned that usually it "does not work" if he says deny, so he says allow. Because he wants his pig to dance.

Re:Why is this news?

[ZzzzSleep]

I'm sure we'll reach Curious Yellow at some point, just not yet.

XKCD was there first

[thegameiam]

How long will it be until this is a reality?

Re:XKCD was there first

[jgtg32a]

Is it bad, that when someone posts an XKCD link I only click on it only to confirm that it was the one I though it was?

Botnets fighting botnets...

Why isn't this kind of technology being used to fight botnets? Couldn't a program be released using virus-like means to disseminate itself, and try to eliminate malicious software wherever it finds it? Sort of like a distributed-computing project, with each peer actively trying to disseminate a "counter-virus"? Or "antibodies", if you will?

Re:Botnets fighting botnets...

[grapeape]

The problem is ethics...both would concidered intruders even if one is of the White Hat variety. Unfortunately it seems impossible to find ethically against something unethical so instead we all just sit around and complain about it while the problem gets worse.

Re:Botnets fighting botnets...

[clone53421]

Because it’s illegal.

People trying to do good generally won’t risk going to jail for it.

It's evolution in action.

[VShael]

They are competing for resources (which may or may not be scarce) and one can now prey on the other.

Either evolve a defence, or die out.

(Oblig tag)
That's evolution in a nutshell. Note that no one is claiming the programs spontaneously emerged into cyberspace. Evolution has nothing to say about the origin of life. Abiogenesis is not Evolution.

Re:It's evolution in action.

[VShael]

No, I don't think so.
It doesn't matter how the code changes from one generation to the next. Mutation (copying errors) or the mixture of two halves of parental DNA, or manipulation by an outside force, or some other mechanism.

What matters is that variation is introduced, and the most successful variations survive and the less successful variations do not.

It's an iterative process, much like software builds.

Oh, you kids these days, with your Intartubes

[Rogerborg]

In my day, we called this stuff Core Wars, and we kept our viruses in jars and shook them to make them fight.

Re:Oh, you kids these days, with your Intartubes

[TheLink]

If you write malware in Java you could keep them in jars too...

This would be an easy one for Microsoft

[Errol+backfiring]

Embrace, extend, extinguish...

Can we start using OpenBSD, Solaris, Linux?

If it's really costing just American people and companies that much money, maybe it's time to stop using Windows.

There are so many alternatives! Servers should be running OpenBSD, FreeBSD, NetBSD, Solaris, Linux, Mac OS X Server, or even AIX and HP-UX.

Mac OS X and Linux make pretty damn good desktop systems for most users.

And if you need to run Windows, perhaps do it only on a system that isn't networked.

Re:Can we start using OpenBSD, Solaris, Linux?

[characterZer0]

$100 million? Please.

Many times that has been wasted supporting broken version of IE.

Many times that has been wasted waiting for reboots after BSODs.

Many times that has been wasted on upgrades nobody needs other than because old version no longer get security updates.

If lost money was going to cause people to ditch Windows, they would have done it a long time ago.

Re:Let the botnet wars begin!

[poena.dare]

"What could be better than botnets trying to destroy each other?"

Well, on the surface it looks good, but before long they'll be collaborating and eventually they'll learn to mate and produce better offspring. Then we'll have to amend the Defense of Marriage Act to keep botnets from getting married and start enforcing Don't Ask Don't Tell for networks.

It's amazing how many people don't know that SkyNet's parents were homosexual transvestite liberal russian hackers that smoked heavily and collected guns.

dARIUS qUAN predicted all of this. We should have listened!

As long as its not guns

[ratboy666]

I'll make some popcorn and we can all enjoy the show.

But seriously, only 100M in losses?

I don't have the figures at hand, but "McAfee forecasts $1.8 billion in revenue for 2009". I would put the cost of the extra security in; the US did that when prosecuting Gary McKinnon, so there appears to be precedent.

Re:In Soviet Russia...

[conspirator57]

Spy Vs. Spy!

honor among thieves

[bugi]

But -- but -- That was my stolen property!

What are things coming to when you can't count on honor among thieves. I mean, thieves stealing from thieves? What is this world coming to!

How to explain this to noobs?

[Alwin+Henseler]

You have this infected machine, perhaps it's a bot sending out bulk spam. Or you install a game on it, and a trojaned executable steals your CD-key and sends it off.. to China? To Russia? Who knows... Or you do some home banking with it (imbecile!), and possibly some program monitors your keystrokes, and sends of username+passwords to "parties unknown".

But the recurring problem: how to explain this to a noob? They're sitting on this trojaned machine, actively using it, processing private data with it, and just don't seem to care (as long as the apparatus still does the job). Anyone know of a good way to explain it to a person like this, what the dangers are? Why they should desinfect / wipe the machine ASAP? What does it take to make them understand what it means "there's a trojan / backdoor on your machine"?

Or is this futile? Should you just wait until they get hit hard(er)? Bank account emptied, e-mail account hacked, game CD-key blocked etc.? Any ideas?

Re:How to explain this to noobs?

[clone53421]

Online banking.

Even if you don’t do online banking on the computer, you’re allowing it to use the computer to spread itself. If you knowingly permit this you’re contributing to the defrauding of other people who do get their identities stolen, etc.

Re:One to rule them all

[clone53421]

Your ideas interest me and I would like to subscribe to your newsletter.

So It's an AI?

[Doc+Ruby]

An upstart Trojan horse program has decided

The news that a botnet is killing its rivals is nowhere near as disturbing as the news that it's decided to kill its rivals.

Re:So It's an AI?

[clone53421]

And you are doing exactly what you evolved to do. Get resources, attract a female, make offspring...

I am?

Reminder - This CAN be fixed

[ka9dgx]

Here it is... the reminder that Capability Based Security can fix this, if we raise awareness of its existence, and push to get it implemented. The idea is older than Unix, for chrissakes.

Microsoft's responsibility

[Orlando]

This may sound naive, but I'm assuming that the vast majority of the machines used in botnets are Windows PCs? So has any attempt been made to make Microsoft take some of the responsibility of this phenomenon on and do something about it?

Re:yes

[HungryHobo]

http://webtorque.org/wp-content/uploads/malware_biz.pdf

the really quiet well made ones you don't hear much about.