Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Authors Learn Market Segmentation From the Best

Posted by timothy on from the that's-best-with-an-a-in-the-middle dept.

Earthquake Retrofit writes "The Register has a rather funny story about the Zeus botnet: 'The latest version of the Zeus do-it-yourself crimeware kit goes to great lengths to thwart would-be pirates by introducing a hardware-based product activation scheme similar to what's found in Microsoft Windows. ... They've also pushed out multiple flavors of the package that vary in price depending on the capabilities it offers. Just as Windows users can choose between the lower-priced Windows 7 Starter or the more costly Windows 7 Business, bot masters have multiple options for Zeus.'"

2 of 49 comments (clear)

  1. Re:BSA by mysidia · · Score: 3, Insightful

    I think they have a more actually effective method though........ malware activates if determined to be unlicensed and being used "illegaly", turns into a trojan working on behalf of the the maker.

  2. Re:Version 1.4 by maxwell+demon · · Score: 4, Insightful

    Finally, I think you may be a bit confused. In x86 (and x64) assembly at least, there's no such thing as a partial op-code. Each instruction is one or more bytes and the CPU doesn't just skip over invalid data as some did (like some 6502 variants). So you can't change any bit in an op-code or you'll change what that op-code is and thus what it does. For example 74 is JZ, jump to the address (specified afterward) if the zero flag is set. 75 is JNZ, jump to the address if the zero flag is NOT set. Change one bit, changes the whole meaning of the instruction. You can't fiddle with parts and have a different op-code that does the same thing.

    All the following sequences do an unconditional jump:

    ; sequence 0
    JMP dest
     
    ; sequence 1
    JZ dest
    JNZ dest
     
    ; sequence 2
    JNZ dest
    JZ dest
     
    ; sequence 3
    JC dest
    JNC dest
     
    ; sequence 4
    JNC dest
    JC dest
     
    ; sequence 5
    JB dest
    JE dest
    JA dest
     
    ; sequence 6
    PUSH dest
    RET

    Note that any difference in length can be made up with either preceding (effective) NOPs (there are many possibilities there, too) or with following junk (it's an unconditional jump; anything directly following isn't executed anyway). Also note that the destination address can be varied if the destination starts with some (effective) NOPs, or if you have jump instructions to that address at other positions.

    And all that is just what I could immediately think of. I'm sure someone who spends considerable time on designing such stuff would find many more ways to vary the code.

    --
    The Tao of math: The numbers you can count are not the real numbers.