Malware Authors Learn Market Segmentation From the Best

Earthquake Retrofit writes "The Register has a rather funny story about the Zeus botnet: 'The latest version of the Zeus do-it-yourself crimeware kit goes to great lengths to thwart would-be pirates by introducing a hardware-based product activation scheme similar to what's found in Microsoft Windows. ... They've also pushed out multiple flavors of the package that vary in price depending on the capabilities it offers. Just as Windows users can choose between the lower-priced Windows 7 Starter or the more costly Windows 7 Business, bot masters have multiple options for Zeus.'"

hmm

[theheadlessrabbit]

but will these malware authors be able to cause as much harm to your computer as windows does?

Re:hmm

[ms1234]

does it run on linux?

Re:hmm

[chromas]

Segmentation fault!

You may be a victim of botnet counterfeiting

Your copy of Zeus has not been validated.

Re:You may be a victim of botnet counterfeiting

I'll get the crack from The Pirate Bay. Oh shit, botnetted.

Re:You may be a victim of botnet counterfeiting

[TheLink]

Does cracking the malware copy protection violate the DMCA?

Not funny or new

[OrwellianLurker]

Malware distributors have been doing this for some time...

Re:BSA

[mysidia]

I think they have a more actually effective method though........ malware activates if determined to be unlicensed and being used "illegaly", turns into a trojan working on behalf of the the maker.

all hands on deck!

Just as Windows users can choose between the lower-priced Windows 7 Starter or....

Actually, I don't think you get that choice. (at least, not in most first-world countires) I was under the impression that windows 7 starter edition would only be available to "developing" countries. (and maybe on netbooks as well, though I fail to see how that would be even remotely necessary. My Eee 1000he runs 7 professional just fine.)

Also, I give it a week or less before some cracking group releases a pirated version. Then they'll start putting more and more oppressive DRM into their malware kits!

Malware wants to be free!

Re:all hands on deck!

[makomk]

Windows 7 Starter will be available in all countries. The reason for offering it on netbooks is that full Windows 7 is expensive (much more expensive for netbooks than XP was) and would push up the price quite a bit...

Re:BSA

Like a stolen remotely-activatable bomb.

Version 1.4

[Manip]

I'm a little surprised Zeus is only adding dynamic executables with version 1.4. This malware kit has been around a while and software has been doing this kind of thing since the very beginning. Maybe it tells us that a lot of Zeus' victims lack any kind of working AV? Or maybe it tells us that with things like Security Essentials being free and popular they're more worried about AV as a threat to their business?

I will say that a binary that changes its self every execution becomes very hard to detect unless your software really understands how a program is running from a mechanical standpoint. Even then you could still embed a dynamically encrypted package into another process's address space and decrypt it there.

Ultimately however it still comes down to the simple fact that there is one layer of defence on modern PCs and once that is bypassed you might have well reinstall your OS.

Re:Version 1.4

One would have thought they added it in the current version - version 1.3.3.7 !XD

Re:Version 1.4

[bmo]

a lot of Zeus' victims lack any kind of working AV?

Have you seen a typical home Windows machine connected to the Internet?

You should get out more.

If the machine actually has AV, it's probably 6 months out of date at a minimum.

I could rant about Windows in general being the most insecure out of the box, but I'm no longer motivated to rant about legacy software anymore. Y'all get what ya get.

--
BMO

Re:Version 1.4

Personally, I found it funny that the current version is 1.3.3.7.

Very l33t.

Re:Version 1.4

[Sycraft-fu]

Plenty of virus scanners can pick up on dynamic executables (also called polymorphic). One problem you run in to is that you have to pass the scanner before you get to execute, so that means that even if your thing can really scramble itself upon execution, if they have info on the versions that are being distributed online, those can be blocked and you don't get a chance to change. However as a practical matter, your code is still there no matter what, has to be to run, and the advanced scanner can pick up on that. They also can perk up and look harder when you do uncommon things like self-modify and so on.

What it really comes down to though is that these kind of programs are going after low hanging fruit. The botnet authors aren't trying to bypass every defense, they just want to get a big net of infected PCs and there are plenty of choices with crap defense. Besides, the ones without defenses are ones more likely to not clean up the infection. If someone goes through the trouble to secure their system, they may also watch it and will notice problems if you infect it. That doesn't do you much good if they just clean it up after a couple hours. You want a system you can hang on to.

Re:Version 1.4

[KiloByte]

In the old days of viruses made for fun rather than profit, a proper polymorphic virus didn't have a constant string longer than a single byte. Instead of changing encryption key, they randomized the entire algorithm -- down to partial opcodes. With this, there is no way to gather signatures of any number of versions, since there simply are none. Another trick is to decrypt just the code that's about to run, clearing it afterwards -- so a memory dump won't help the slightest.

That trivially defeats both ways to scan that you mention. On the other hand, I doubt current malware makers have even a fraction of skill used in the old days -- it's simply uneconomical to do such advanced things if simpler ways are good enough to fool the AV junk. So yeah, the second half of your post is spot-on.

Re:Version 1.4

[Sycraft-fu]

Engines these days are more advanced than just signature matching. They do that too, since it works well against most threats, but they have more advanced tricks to detect viruses despite obfuscation attempts. They are fairly advanced these days.

Also remember you have a far more complex system to contend with. On DOS you had direct access to any and everything. Not the case in Windows or any other modern OS. You have to interface with the OS's calls and you have to deal with thing like processor enforced privilege levels and so on. You can't write your code in any way you like or the OS will simply refuse to execute it and throw an error.

Finally, I think you may be a bit confused. In x86 (and x64) assembly at least, there's no such thing as a partial op-code. Each instruction is one or more bytes and the CPU doesn't just skip over invalid data as some did (like some 6502 variants). So you can't change any bit in an op-code or you'll change what that op-code is and thus what it does. For example 74 is JZ, jump to the address (specified afterward) if the zero flag is set. 75 is JNZ, jump to the address if the zero flag is NOT set. Change one bit, changes the whole meaning of the instruction. You can't fiddle with parts and have a different op-code that does the same thing.

Re:Version 1.4

I too have wondered why polymorphic viruses never became a hit. it must be ridiculously easy to disable virus scanners, so there is no interest in hiding from them.

Re:Version 1.4

To emphasize your point, this is an era when malware creators write their code in Visual Basic because it's just too hard to learn C++. We oughtn't expect incredible feats of brilliance from them.

Re:Version 1.4

[maxwell+demon]

Finally, I think you may be a bit confused. In x86 (and x64) assembly at least, there's no such thing as a partial op-code. Each instruction is one or more bytes and the CPU doesn't just skip over invalid data as some did (like some 6502 variants). So you can't change any bit in an op-code or you'll change what that op-code is and thus what it does. For example 74 is JZ, jump to the address (specified afterward) if the zero flag is set. 75 is JNZ, jump to the address if the zero flag is NOT set. Change one bit, changes the whole meaning of the instruction. You can't fiddle with parts and have a different op-code that does the same thing.

All the following sequences do an unconditional jump:

; sequence 0
JMP dest
 
; sequence 1
JZ dest
JNZ dest
 
; sequence 2
JNZ dest
JZ dest
 
; sequence 3
JC dest
JNC dest
 
; sequence 4
JNC dest
JC dest
 
; sequence 5
JB dest
JE dest
JA dest
 
; sequence 6
PUSH dest
RET

Note that any difference in length can be made up with either preceding (effective) NOPs (there are many possibilities there, too) or with following junk (it's an unconditional jump; anything directly following isn't executed anyway). Also note that the destination address can be varied if the destination starts with some (effective) NOPs, or if you have jump instructions to that address at other positions.

And all that is just what I could immediately think of. I'm sure someone who spends considerable time on designing such stuff would find many more ways to vary the code.

Re:Version 1.4

[kalirion]

so that means that even if your thing can really scramble itself upon execution, if they have info on the versions that are being distributed online, those can be blocked

Until the infected machines start distributing their already-scrambled executables to others?

Re:Version 1.4

[AlgorithMan]

programs (like AV) can not understand programs - see Rice's Theorem...

Re:Version 1.4

[AlgorithMan]

have you tried

PUSH dest
RET

? I'm no assembler expert, but I think PUSH alters the stack pointer, RET uses the frame pointer to find the return address and that has been unaltered...

Re:Version 1.4

[AlgorithMan]

I'm not sure, but I think you are mistaken. The code should just be put in an "array", not interpreted in any way and a JMP should be able to set the instruction pointer to a byte that isn't an instruction, but a parameter of an instruction (you'd have to change the bytecode manually in a hexeditor, because compilers and assemblers would not write the code this way)

let me illustrate this with an example - I think this is how anti-disassembler techniques work

1: JMP 3
2: JMP
3: Do something

1 jumps to byte no. 4, but when you try to disassemble this, byte no. 4 would be interpreted as the parameter of the JMP in line 2... In the same way, you should be able to fill your program with random junk - you just have to correct the jump destinations properly to not jump into the junk...

Re:Version 1.4

[AlgorithMan]

disassemblers could ignore bytes, based on some "code-reachability" measurement, but if you do the JMP in line 1 conditionally, you have won, because you can just use some first-order-logic tautology as condition for the jump - it would always be executed, but a disassembler would have to solve the halting problem (which is unsolvable) to decide, whether the following bytes are reachable...

Re:Version 1.4

[makomk]

I'm no assembler expert, but I think PUSH alters the stack pointer, RET uses the frame pointer to find the return address and that has been unaltered...

There's no such thing as a frame pointer at the hardware level on x86, as far as I'm aware. PUSH, POP, CALL and RET all use the stack pointer.

Re:Version 1.4

[maxwell+demon]

I'm no assembler expert, but I think PUSH alters the stack pointer, RET uses the frame pointer to find the return address and that has been unaltered...

There's no such thing as a frame pointer at the hardware level on x86, as far as I'm aware. PUSH, POP, CALL and RET all use the stack pointer.

By convention, BP is used as the frame pointer on x86. But it isn't directly done by the CPU, but has to be explicitly set up by the function prolog/epilog (basically copying the stack pointer to BP and back) and often is omitted by functions not using local variables. RET indeed reads the address through the stack pointer; the only special thing about BP is that addressing through it by default uses the stack segment register (this doesn't matter for the usual flat memory model used today, but it mattered for 16 bit code, and shows that indeed this usage of BP was intended by the x86 designers). Basically, RET is a "POP (E)IP".

Re:BSA

[j35ter]

Uh, you mean this is less dangerous than activating XP?

Supposed commercial...

...(Mafia dude with NJ/Italian accent) "In the world were we live today, we see multiple opportunities to automate the way you deal with your 'customers'. We all know that baseball bats and golf clubs tend to get a little rusty after a while - hey: we get a little rusty after a while! This is what our experts (cue clip of nerd-dudes with guns placed against their head) set out to fix with great enthusiasm - if you know what I mean hehe. Your company can rest assured that your business can continue now with our new Zeus line of products. To even further help you, we offer it in three variants: Zeus LowLifeScum Edition - the most simplest version with your basic average way to extort. Zeus Made Edition - yeah, you know what you want to have : more automated tools, comes with credit card extraction too! And of course: Zeus Maffia Edition - our ultimate edition, if you belong to the family and want it all. I suggest you meet up soon, I'll make you an offer you can't refuse, hehe. Ciao"

Re:Supposed commercial...

[easyTree]

...(Mafia dude with NJ/Italian accent) "In the world were we live today, we see multiple opportunities to automate the way you deal with your 'customers'. We all know that baseball bats and golf clubs tend to get a little rusty after a while - hey: we get a little rusty after a while! This is what our experts (cue clip of nerd-dudes with guns placed against their head) set out to fix with great enthusiasm - if you know what I mean hehe. Your company can rest assured that your business can continue now with our new Zeus line of products. To even further help you, we offer it in three variants: Zeus LowLifeScum Edition - the most simplest version with your basic average way to extort. Zeus Made Edition - yeah, you know what you want to have : more automated tools, comes with credit card extraction too! And of course: Zeus Maffia Edition - our ultimate edition, if you belong to the family and want it all. I suggest you meet up soon, I'll make you an offer you can't refuse, hehe. Ciao"

That all sounds less threatening than the supposedly-legitimate RIAA!

Which version of Zeus should I buy...

[Tracy+Reed]

Zeus Smoky Bacon Edition or Zeus Kenny Loggins edition? Bacon is delicious, but I also love that Footloose song...

Re:Which version of Zeus should I buy...

[JamesP]

Whatever you do don't buy Zeus starter edition, it only allows you to infect 3 machines at the same time...

Re:Which version of Zeus should I buy...

The Zeus Squeez Bacon Ultimate version, of course.

protagonists of newclear power ready to settle

we'll take it all (such as it is), thanks.

never a better time to consult with/trust in your creators. providing more than enough of everything for everybody, without any personal gain motive, since/until forever. see you there?

Re:BSA

Pirates don't Activate.

Bot Master

[celibate+for+life]

I don't care if it's illegal, "Bot Master" sounds awesome, how do I become one?

Re:Bot Master

[maxume]

You could probably track down the code to some obsolete system and install it on your own computer.

www.t10t.net

Very cool I admire this
Thank you all

Maybe they are from the same company.

Did you ever think that maybe the Zeus botnet is produced by Microsoft's marketing department?

Vulnerabilities make money for Microsoft: "This time, our OS is secure. Really. Buy a copy." People go out and buy a new computer because they don't know how to fix the one they have: Corrupted PC's Find New Home in the Dumpster.

Re:Maybe they are from the same company.

[Ihmhi]

From that article you linked:

SAN FRANCISCO, July 15 - Add personal computers to the list of throwaways in the disposable society.

On a recent Sunday morning when Lew Tucker's Dell desktop computer was overrun by spyware and adware - stealth software that delivers intrusive advertising messages and even gathers data from the user's machine - he did not simply get rid of the offending programs. He threw out the whole computer.

Mr. Tucker, an Internet industry executive who holds a Ph.D. in computer science, decided that rather than take the time to remove the offending software, he would spend $400 on a new machine.

Mr. Tucker is a dumbass. There are plenty of people who could have completely cleared out that computer for under $100 in man hours.

Re:Maybe they are from the same company.

[timeOday]

Perhaps it was an old computer anyways, and thus not worth repairing?

If not, you would think we would at least have sold it on craigslist, which is easy and quick if you sell below market value.

Re:Maybe they are from the same company.

[DigiShaman]

Mr. Tucker is not dumb. What he did was smart, and many people including myself advocate the same depending on how old your computer is. You have to factor in things such as your current hardware, warranty length (expired), version of OS, time it would take to diagnose and cleanup a virus. All in all, it may be best to cut your losses and just purchase a new machine which includes newer technologies, warranty, and a shiny new OS. I've personally seen attempted cleanup and format/reinstall work cost more in billable hours than a new machine!!!

It's a risk assessment that has to be made a head of time. But the dirty little secret is this: Home/Office PCs have become more cost effective to be "throwaways".

Re:Maybe they are from the same company.

[Ihmhi]

I have advocated it in the past as well, but only when the piece of hardware is:

a) Really old

b) In terrible shape

c) Made by a terrible manufacturer

I greatly dislike the whole philosophy of replacing stuff unnecessarily. I was raised as one of those people who tries to fix something before going out and buying a new one.

Then again, I suppose spending money frivolously goes hand-in-hand with being an executive.

Re:Maybe they are from the same company.

[DigiShaman]

Two things are of value monetarily. Time and Materials. Anyone would choose the cheaper route when making a decision to fix or replace.

I work on computers for a living like most here. If its my personal machine, I'll fix it on my own spare time. But, if I'm on the clock, I might actually scrap the machine to save the company money so I can move on to more important (valuable) tasks. In fact, I might even recommend keeping the drive (sensitive data and all) and donating the hardware to charity or sell it to an employee. It might even have some value laying around the bone yard for those pick-a-part moments.

Re:Maybe they are from the same company.

[Ihmhi]

Two things are of value monetarily. Time and Materials. Anyone would choose the cheaper route when making a decision to fix or replace.

I completely agree. And my original point of him being an idiot stands. Worst case scenario of "salt the earth and reformat" takes a grand total of 2, 2 1/2 hours. Unless he lives out in the burbs where you'll spend $50-150/hour for a tech, it still would have been far, far cheaper than buying even a netbook.

Re:Maybe they are from the same company.

[hesaigo999ca]

And funny enough, reinstalling windows would have taken only 30 minutes of his time...
had he the windows cd that came with the computer. This is why I hate the computer world, no one tries to push this enough, M$ loves to hear that you bought a new computer, and new license for windows...
as well, now there is even more power available to the botnet writers since you will visit that same site that got you infected in the first place. More power...more emails!

Hardware-based?

[ScrewMaster]

hardware-based product activation scheme similar to what's found in Microsoft Windows

Windows Product Activation is not what is usually termed "hardware based". It may take a signature of your hardware to look for unacceptable changes to that hardware, but that's about it. A hardware-based scheme usually involves a dongle or other physical device that is required for the software to execute.