Seeking Competitive Advantage, For Malware

← Back to Stories (view on slashdot.org)

Seeking Competitive Advantage, For Malware

Posted by timothy on Friday April 2, 2010 @11:14AM from the when-jerkfaces-compete-you-lose dept.

jc_chgo writes "Brian Krebs over at the must-read KrebsOnSecurity.com writes about the rivalry between two competing authors of nasty credential-stealing malware. The newer (SpyEye) can remove the older (Zeus) on any system it infects. Meanwhile, Zeus is so successful prices have gone way up for the new version. These 'crimeware kits' are freely available for purchase, and have enabled millions of dollars in thefts. The buyers of the kits prey primarily on small businesses by using wire transfers out of bank accounts. This is a problem that is only going to get bigger over time."

39 comments

Min score:

Reason:

Sort:

Let's Look At The Positives by WrongSizeGlass · 2010-04-02 11:24 · Score: 3, Funny

There are positives to this. If one type of malware can handily defeat another type of malware I'm sure the A/V companies will be able to learn something from it (and up-charge their victims, er, customers accordingly).

There's also the new 'botwars' games that we'll be able to watch from the safety of our non-Windows computers.
1. Re:Let's Look At The Positives by Z34107 · 2010-04-02 11:26 · Score: 2, Insightful
  
  You'll be able to watch from the safety of your Windows computers, too. Most of these take advantage of exploits that were patched ages ago - SpyEye is simply cannibalizing Zeus' market.
  There's a finite number of negligently unpatched computers out there - and Zeus exists because small businesses do banking on them.
  
  --
  DATABASE WOW WOW
2. Re:Let's Look At The Positives by jon3k · 2010-04-02 11:41 · Score: 1
  
  Except for the fact that 10 million zeus infected windows machines will be spewing spam and scanning all your publicly accessible hosts. Not to mention infecting your friends, family and coworkers and possibly even stealing thousands of dollars from your place of employment.
3. Re:Let's Look At The Positives by toleraen · 2010-04-02 11:59 · Score: 1
  
  If my friends, family and coworkers ignored the first 15 emails I sent them telling them to run Windows Update and do a weekly virus scan...that's their fault.
4. Re:Let's Look At The Positives by Anonymous Coward · 2010-04-02 12:40 · Score: 1, Insightful
  
  Your email was nestled among 20 other emails asking them to install a "software update" because "their computer was vulnerable" Either they installed everything, or they sent your email to the spam folder.
5. Re:Let's Look At The Positives by mrmeval · 2010-04-02 12:41 · Score: 1
  
  No transaction can occur in at our bank without our signature. That means someone has to get off their dead ass and go to the bank and authorize it with proper credentials. It sucks. Someone has a job just to do this. All of the crap is generated on a computer but until that person toddles over there and signs off on it. Nothing happens.
  
  --
  I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
6. Re:Let's Look At The Positives by Mattpw · 2010-04-02 13:58 · Score: 2, Informative
  
  No transaction can occur in at our bank without our signature. That means someone has to get off their dead ass and go to the bank and authorize it with proper credentials. It sucks. Someone has a job just to do this. All of the crap is generated on a computer but until that person toddles over there and signs off on it. Nothing happens.
  The problem with alot of these more manual authentication systems is that while it sounds good from a security point of view it is quite possibly easier to circumvent the authentication procedure than the complexity with which the trojans are going through. Alot of people think manual phone based authentication like the SMS authentication option is a good idea however the real authentication strength is only as strong as convincing the targets telephone company to forward all their calls to their "new" number. The real authentication is usually only as strong as knowing the targets birthday or similarly googleable information.
7. Re:Let's Look At The Positives by mrmeval · 2010-04-02 16:29 · Score: 1
  
  Gun to the head of the relatives can work. It's a small enough commercial bank that they know our people and we know theirs. We do use technology but not for that last bit.
  
  --
  I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
8. Re:Let's Look At The Positives by jon3k · 2010-04-02 17:41 · Score: 1
  
  You're missing the point. Fault is irrelevant. We're beyond fault or assigning blame. We have millions of infected computers on the Internet today.
9. Re:Let's Look At The Positives by toleraen · 2010-04-02 18:20 · Score: 1
  
  Completely agree as I have to deal with this at work on a daily basis, sometimes it's just more pleasant to trivialize it.
10. Re:Let's Look At The Positives by Anonymous Coward · 2010-04-02 18:52 · Score: 0
  
  Fault is irrelevant. We're beyond fault or assigning blame.
  Fault is the solution. You have to remember that there are still a great many people who, instead of choosing to install malware, choose to not do so. They have competitive advantage.
  You can never make blame 100% irrelevant. Even when there are many stupid people who don't blunder into trouble, and non-stupid people who get compromised by stupid people they mistakenly trusted, overall on average, stupidity still punishes itself more than it punishes others. Businesses that still run Windows make slightly lower profits than ones which have modernized. Governments that still run Windows have a few more scandals, a little more election turnover, and emigration due to higher tax rates. Families that listen to family members who know about IT and say "don't install malware," are slightly more harmonious. To say that fault is irrelevant, is to ignore these realities.
11. Re:Let's Look At The Positives by CrossChris · 2010-04-03 06:24 · Score: 1
  
  ...then it's time to ban Windows machines from the internet.
  
  It IS time to appotion blame - the blame lies squarely with the stupid marketing-based decisions made by the clueless in Redmond, and their fundamental lack of understanding of the basic concept of a security model.
  
  Simple solution: Put those Redmond morons out of business once and for all by disconnecting every Windows machine and then suing them for each machine disconnection from the web - say $50000 per machine, just for the inconvenience....
I am on my Windows machine you insensitive clod by SmallFurryCreature · 2010-04-02 11:29 · Score: 1

I am on my Windows machine you insensitive clod.
Various criminals:Yeah, we too!
Windows, where do you want banking credentials to be sent to today?

--

MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
1. Re:I am on my Windows machine you insensitive clod by jon3k · 2010-04-02 11:42 · Score: 2, Funny
  
  nice sig -- save for the fact that the "group" is composed of 90% men.
2. Re:I am on my Windows machine you insensitive clod by Bodhammer · 2010-04-02 12:15 · Score: 2, Funny
  
  nice sig -- save for the fact that the "group" is composed of 90% men.
  You mean two of his fingers are female?
  
  --
  "I say we take off, nuke the site from orbit. It's the only way to be sure."
3. Re:I am on my Windows machine you insensitive clod by Anonymous Coward · 2010-04-02 12:26 · Score: 0
  
  Uh, my head hurts trying to imagine female fingers. mm so they would have a slot to take in a male finger?
4. Re:I am on my Windows machine you insensitive clod by ProfessorKaos64 · 2010-04-02 13:01 · Score: 0, Offtopic
  
  It's also nice you can't read, He's making a comparison. He is saying orgasms are better in a groups, just like MMO Quests are better in a group, NOT that he is doing both, I know you are making fun, but your just dumbing down America
5. Re:I am on my Windows machine you insensitive clod by maxume · 2010-04-02 13:28 · Score: 1
  
  but your just dumbing down America
  Gold.
  
  --
  Nerd rage is the funniest rage.
6. Re:I am on my Windows machine you insensitive clod by gzipped_tar · 2010-04-02 14:05 · Score: 0, Offtopic
  
  You mean he has 19 fingers?
  
  --
  Colorless green Cthulhu waits dreaming furiously.
7. Re:I am on my Windows machine you insensitive clod by ProfessorKaos64 · 2010-04-02 14:08 · Score: 0, Offtopic
  
  Please seek help lolz
8. Re:I am on my Windows machine you insensitive clod by Anonymous Coward · 2010-04-02 16:36 · Score: 0
  
  since when was 2 fingers 10% of 19
9. Re:I am on my Windows machine you insensitive clod by gzipped_tar · 2010-04-02 16:55 · Score: 1
  
  Well, I seemed to have forgotten that toes can also enjoy the right to involve in this activity. But 10% of a 21-member group is not quite an integer. But that's assuming there *are* ten fingers and ten toes.
  BTW: Am I being politically incorrect against community members who have an alternative amount of digits?
  
  --
  Colorless green Cthulhu waits dreaming furiously.
10. Re:I am on my Windows machine you insensitive clod by Anonymous Coward · 2010-04-02 17:47 · Score: 0
  
  wow. I don't know what to say other than *woosh*. but judging by your -1 offtopic I think the problem's already been taken care of.
  
  I do like the part where you accuse him of not being able to read followed by "better in a groups" (plural) and then "your just dumbing" (s/your/you\'re).
  
  nice try though.
Queue The DRM Critics by WrongSizeGlass · 2010-04-02 11:31 · Score: 3, Interesting

FTFA

SecureWorks has noted that the latest versions of Zeus include anti-piracy technology that uses a hardware-based licensing system that can only be run on one computer. “Once you run it, you get a code from the specific computer, and then the author gives you a key just for that computer,” SecureWorks wrote. “This is the first time we have seen this level of control for malware.”
I guess it was bound to happen ... you just can't trust anyone these days. I wonder if either of these 'kits' infects the computer that runs it? Would the authors ever infect their customers?
1. Re:Queue The DRM Critics by Anonymous Coward · 2010-04-02 16:04 · Score: 0
  
  Would the authors ever infect their customers?
  Unlikely. That's the kind of move that can be pulled only once, and it would be too soon for them do close down.
2. Re:Queue The DRM Critics by scolbe · 2010-04-02 16:58 · Score: 2, Funny
  
  I wonder if either of these 'kits' infects the computer that runs it? Would the authors ever infect their customers?
  oh, don't worry about that... that's just their handy, no fuss zero-click payment system.
  
  --
  Lead me not into temptation... I can find it myself 8+)
3. Re:Queue The DRM Critics by RobertLTux · 2010-04-03 00:45 · Score: 1
  
  Due to the more "Traditional Family Values" that can be found in those circles that kind of thing would be "unhealthy".
  
  --
  Any person using FTFY or editing my postings agrees to a US$50.00 charge
"It's clear from the Flash ads reproduced here..." by Anonymous Coward · 2010-04-02 12:02 · Score: 0

He's reproducing the Flash ads from a malware seller.
Wow, I've never been more glad to be using AdBlock and NoScript in my life!
What...? by ProfessorKaos64 · 2010-04-02 12:56 · Score: 1

How do these guys not get caught? I mean, can't federal agents just set up fake transactions if hes publicly selling it? I know im simplifying it, so I ask anyone here to explain maybe how complicated it may be.
1. Re:What...? by Restil · 2010-04-02 13:29 · Score: 4, Informative
  
  Here's the problem:
  Assuming the people who wrote and sell this software reside in the US or some country which will happily extradite them for us, it's possible that what they're doing isn't technically illegal. They're not actually USING the software, just selling it. This is somewhat equivalent to someone selling lockpicks. Granted, this software probably has no legitimate purpose, except perhaps to be used for security audits or something. However, even if it IS illegal, to get the Feds involved will require an almost certain guarantee of conviction. They want a jury to be debating the length of the sentence, not whether or not the suspects are actually guilty or not. If there is enough legal doubt as to whether or not a crime was even committed, the Feds will be leery of even getting involved.
  So fine, lets pass a law making the creation and/or publication of software that has mostly malicious intent. That'll be good... right? The only problem is, Congress gets to write that law. This means three things. First off, the law will likely be written in a way that is so vague that it ends up not only applying to the software in question, but half of the legitimate software ever written. Before you know it, all advertising, security software, operating systems other than windows, and of course, the ping program, will now be considered illegal.. technically. This means that the law will end up not being enforced. Next, they will be sure to word it in such a way as to render it unconstitutional, so next thing you know, the Supreme Court will tie it up for 10 years, and finally kill it. And finally, you can't pass a law without attaching a large number of completely unrelated riders, which will end up causing parties opposed to the riders to vote against and/or filibuster the bill, which causes the other side to insist that the opposing party WANTS people to have their banking credentials stolen... and so on.
  Anyways, to answer your question, Yes. You were simplifying it. It would be MUCH easier to just find a way to sneak a few images of child porn on one of their computers, and shut them down that way. THAT avenue at least seems to have no roadblocks.
  -Restil
  
  --
  Play with my webcams and lights here
2. Re:What...? by ProfessorKaos64 · 2010-04-02 13:33 · Score: 1
  
  Perfectly answered everything. Thanks a million man, see people? There are people on slashdot that arn't constant trolls :)
3. Re:What...? by Anonymous Coward · 2010-04-02 14:38 · Score: 3, Insightful
  
  Look, I know the grandparent was just trying to help, but in real-life people don't do things because of silly slippery-slope arguments.
  The reason that this is very hard for law-enforcement to stop is because it is not being done by lone guys in their parent's basements, but because it is business. As a start, read "An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants", http://cseweb.ucsd.edu/~savage/papers/CCS07.pdf
  You can buy lists of valid credit card numbers, botnets, root-kitted machines, almost anything. The people who sell this sort of stuff often don't even think of themselves as criminals, just businessmen. When selling rooted machines, they often are careful not to touch machines in their own country, so local law enforcement is unlikely to care, and to avoid things like child porn which the police will really come after them for.
  Now, say you are a typical American law enforcement guy and you find out that someone might be involved in this sort of stuff. What do you do? Well, citizens have been complaining about paying taxes so your budget is going to be pretty much nothing. You are also going to be evaluated on how many "bad guys" you catch. And you know that almost as soon as you start investigating that the trail is going to lead to some overseas servers, which means that you are going to have to get the cooperation of law enforcement in other countries. And, you know that even if you get international cooperation then eventually the investigation is going to involve someplace where the local authorities don't care, and all your time will have been wasted. So, knowing this, are you going spend your time starting the investigation? Or are you going to catch a bunch of petty thieves instead and get a nice bonus for stopping crime?
4. Re:What...? by anarche · 2010-04-02 14:40 · Score: 1
  
  Well said, sir! Mod parent up!
  A law banning this would probably pass in Australia (don't start on the filter!). We ban sales of spray paint to minors (in case they graffiti), guns to non-farmers (in case they kill someone) etc.
  Just get your guys to sell a kit to an Aussie scriptkiddie, track em down (filter anyone?) then organise extradition to Down Under.
  
  --
  Wait! Whats a sig?
Malware competing with each other in the market... by gzipped_tar · 2010-04-02 13:23 · Score: 2, Funny

...is still much better than the idea of government-owned, tax-paid malware.

--
Colorless green Cthulhu waits dreaming furiously.
Paraphrasing by DynaSoar · 2010-04-02 15:39 · Score: 1

"What we need are a few good old fashioned hangings." -- FTC commissioner Orson Swindell at the first FTC spam conference. I'm looking forward to hearing about one of the organized crime associated bots getting whacked by one of the competition, and so the owners of the former return the favor to the author of the (temporary) victor. I suspect it's happened already, but not publicized. Sooner or later one will. Then we'll see some real cyberwarefare. You think the US government has got some cyberwarriors lined up? Fugidaboudit.

--
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
It's going to be fixed once it gets big enough... by Anonymous Coward · 2010-04-02 15:43 · Score: 0

If there is *one* thing you can be sure about consumer banks is that they hate losing money *and* time. They *cannot* pass all the burden to the consumers and they *cannot* make up for the lost time in employees dealing with this. Hence once the problem shall be big enough, 100% foolproof solution will come.
Some europeans banks have a physical device into which you need to enter a cryptographic challenge (in which the recipient's bank account number IS part of the challenge). You cannot make a wire transfer without that device / PIN. There's no known MITM attack that works against this. Good game low-lifes.
I hope they fill their pockets while it's not put in place by every single consumer bank around the world, because these devices already started appearing in several banks (repeat after me: the bank account number of the recipient is part of the cryptographic challenge, there's no MITM that can work against that).
Re:It's going to be fixed once it gets big enough. by Alex+Belits · 2010-04-02 22:00 · Score: 1

there's no MITM that can work against that
Of course, there is.
Malware will just replace the account number used in a legitimate transaction with one of the scammer.

--
Contrary to the popular belief, there indeed is no God.
Re:It's going to be fixed once it gets big enough. by Spiked_Three · 2010-04-02 23:00 · Score: 1

Agreed. right now, banks do what they can they can to take the easy road to money. For the most part that means accepting any transaction from anyone with no proof of identity or verification of authenticity on transactions. In specific, the credit card companies are the major source of easy money, and they are supplemented with the greed to make an additional transaction fee. In the US, go to your bank and ask 'who took my money?' At best you will get an 800 number to some robo-answering machine. There is no law or agreement that a bank has to tell you who they gave your money to.
And as long as credit cards can absorb the stolen amounts, they are not going to require authentication, as it will inconvenience the consumer and hurt volume.
It took many years for the recent credit rules to get through in the US that had some small dent on the corruptness of banks and credit cards in the US. But they did not go far enough. What used to be called loan sharking in the US is still legal for 'financial institutions'. We are supposed to elect politicians to represent us, what segment of the population was represented by making it 'illegal to charge huge interests rates for the loaning of money, except for financial institutions' ? That is a blatant and obvious sign of how corrupt our political system has become.
Just wait until the malware authors learn about lobbying.

--
slashdot troll = you make a compelling argument I do not like the implications of.