Seeking Competitive Advantage, For Malware

← Back to Stories (view on slashdot.org)

Seeking Competitive Advantage, For Malware

Posted by timothy on Friday April 2, 2010 @11:14AM from the when-jerkfaces-compete-you-lose dept.

jc_chgo writes "Brian Krebs over at the must-read KrebsOnSecurity.com writes about the rivalry between two competing authors of nasty credential-stealing malware. The newer (SpyEye) can remove the older (Zeus) on any system it infects. Meanwhile, Zeus is so successful prices have gone way up for the new version. These 'crimeware kits' are freely available for purchase, and have enabled millions of dollars in thefts. The buyers of the kits prey primarily on small businesses by using wire transfers out of bank accounts. This is a problem that is only going to get bigger over time."

28 of 39 comments (clear)

Min score:

Reason:

Sort:

Let's Look At The Positives by WrongSizeGlass · 2010-04-02 11:24 · Score: 3, Funny

There are positives to this. If one type of malware can handily defeat another type of malware I'm sure the A/V companies will be able to learn something from it (and up-charge their victims, er, customers accordingly).

There's also the new 'botwars' games that we'll be able to watch from the safety of our non-Windows computers.
1. Re:Let's Look At The Positives by Z34107 · 2010-04-02 11:26 · Score: 2, Insightful
  
  You'll be able to watch from the safety of your Windows computers, too. Most of these take advantage of exploits that were patched ages ago - SpyEye is simply cannibalizing Zeus' market.
  There's a finite number of negligently unpatched computers out there - and Zeus exists because small businesses do banking on them.
  
  --
  DATABASE WOW WOW
2. Re:Let's Look At The Positives by jon3k · 2010-04-02 11:41 · Score: 1
  
  Except for the fact that 10 million zeus infected windows machines will be spewing spam and scanning all your publicly accessible hosts. Not to mention infecting your friends, family and coworkers and possibly even stealing thousands of dollars from your place of employment.
3. Re:Let's Look At The Positives by toleraen · 2010-04-02 11:59 · Score: 1
  
  If my friends, family and coworkers ignored the first 15 emails I sent them telling them to run Windows Update and do a weekly virus scan...that's their fault.
4. Re:Let's Look At The Positives by Anonymous Coward · 2010-04-02 12:40 · Score: 1, Insightful
  
  Your email was nestled among 20 other emails asking them to install a "software update" because "their computer was vulnerable" Either they installed everything, or they sent your email to the spam folder.
5. Re:Let's Look At The Positives by mrmeval · 2010-04-02 12:41 · Score: 1
  
  No transaction can occur in at our bank without our signature. That means someone has to get off their dead ass and go to the bank and authorize it with proper credentials. It sucks. Someone has a job just to do this. All of the crap is generated on a computer but until that person toddles over there and signs off on it. Nothing happens.
  
  --
  I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
6. Re:Let's Look At The Positives by Mattpw · 2010-04-02 13:58 · Score: 2, Informative
  
  No transaction can occur in at our bank without our signature. That means someone has to get off their dead ass and go to the bank and authorize it with proper credentials. It sucks. Someone has a job just to do this. All of the crap is generated on a computer but until that person toddles over there and signs off on it. Nothing happens.
  The problem with alot of these more manual authentication systems is that while it sounds good from a security point of view it is quite possibly easier to circumvent the authentication procedure than the complexity with which the trojans are going through. Alot of people think manual phone based authentication like the SMS authentication option is a good idea however the real authentication strength is only as strong as convincing the targets telephone company to forward all their calls to their "new" number. The real authentication is usually only as strong as knowing the targets birthday or similarly googleable information.
7. Re:Let's Look At The Positives by mrmeval · 2010-04-02 16:29 · Score: 1
  
  Gun to the head of the relatives can work. It's a small enough commercial bank that they know our people and we know theirs. We do use technology but not for that last bit.
  
  --
  I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
8. Re:Let's Look At The Positives by jon3k · 2010-04-02 17:41 · Score: 1
  
  You're missing the point. Fault is irrelevant. We're beyond fault or assigning blame. We have millions of infected computers on the Internet today.
9. Re:Let's Look At The Positives by toleraen · 2010-04-02 18:20 · Score: 1
  
  Completely agree as I have to deal with this at work on a daily basis, sometimes it's just more pleasant to trivialize it.
10. Re:Let's Look At The Positives by CrossChris · 2010-04-03 06:24 · Score: 1
  
  ...then it's time to ban Windows machines from the internet.
  
  It IS time to appotion blame - the blame lies squarely with the stupid marketing-based decisions made by the clueless in Redmond, and their fundamental lack of understanding of the basic concept of a security model.
  
  Simple solution: Put those Redmond morons out of business once and for all by disconnecting every Windows machine and then suing them for each machine disconnection from the web - say $50000 per machine, just for the inconvenience....
I am on my Windows machine you insensitive clod by SmallFurryCreature · 2010-04-02 11:29 · Score: 1

I am on my Windows machine you insensitive clod.
Various criminals:Yeah, we too!
Windows, where do you want banking credentials to be sent to today?

--

MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
1. Re:I am on my Windows machine you insensitive clod by jon3k · 2010-04-02 11:42 · Score: 2, Funny
  
  nice sig -- save for the fact that the "group" is composed of 90% men.
2. Re:I am on my Windows machine you insensitive clod by Bodhammer · 2010-04-02 12:15 · Score: 2, Funny
  
  nice sig -- save for the fact that the "group" is composed of 90% men.
  You mean two of his fingers are female?
  
  --
  "I say we take off, nuke the site from orbit. It's the only way to be sure."
3. Re:I am on my Windows machine you insensitive clod by maxume · 2010-04-02 13:28 · Score: 1
  
  but your just dumbing down America
  Gold.
  
  --
  Nerd rage is the funniest rage.
4. Re:I am on my Windows machine you insensitive clod by gzipped_tar · 2010-04-02 16:55 · Score: 1
  
  Well, I seemed to have forgotten that toes can also enjoy the right to involve in this activity. But 10% of a 21-member group is not quite an integer. But that's assuming there *are* ten fingers and ten toes.
  BTW: Am I being politically incorrect against community members who have an alternative amount of digits?
  
  --
  Colorless green Cthulhu waits dreaming furiously.
Queue The DRM Critics by WrongSizeGlass · 2010-04-02 11:31 · Score: 3, Interesting

FTFA

SecureWorks has noted that the latest versions of Zeus include anti-piracy technology that uses a hardware-based licensing system that can only be run on one computer. “Once you run it, you get a code from the specific computer, and then the author gives you a key just for that computer,” SecureWorks wrote. “This is the first time we have seen this level of control for malware.”
I guess it was bound to happen ... you just can't trust anyone these days. I wonder if either of these 'kits' infects the computer that runs it? Would the authors ever infect their customers?
1. Re:Queue The DRM Critics by scolbe · 2010-04-02 16:58 · Score: 2, Funny
  
  I wonder if either of these 'kits' infects the computer that runs it? Would the authors ever infect their customers?
  oh, don't worry about that... that's just their handy, no fuss zero-click payment system.
  
  --
  Lead me not into temptation... I can find it myself 8+)
2. Re:Queue The DRM Critics by RobertLTux · 2010-04-03 00:45 · Score: 1
  
  Due to the more "Traditional Family Values" that can be found in those circles that kind of thing would be "unhealthy".
  
  --
  Any person using FTFY or editing my postings agrees to a US$50.00 charge
What...? by ProfessorKaos64 · 2010-04-02 12:56 · Score: 1

How do these guys not get caught? I mean, can't federal agents just set up fake transactions if hes publicly selling it? I know im simplifying it, so I ask anyone here to explain maybe how complicated it may be.
1. Re:What...? by Restil · 2010-04-02 13:29 · Score: 4, Informative
  
  Here's the problem:
  Assuming the people who wrote and sell this software reside in the US or some country which will happily extradite them for us, it's possible that what they're doing isn't technically illegal. They're not actually USING the software, just selling it. This is somewhat equivalent to someone selling lockpicks. Granted, this software probably has no legitimate purpose, except perhaps to be used for security audits or something. However, even if it IS illegal, to get the Feds involved will require an almost certain guarantee of conviction. They want a jury to be debating the length of the sentence, not whether or not the suspects are actually guilty or not. If there is enough legal doubt as to whether or not a crime was even committed, the Feds will be leery of even getting involved.
  So fine, lets pass a law making the creation and/or publication of software that has mostly malicious intent. That'll be good... right? The only problem is, Congress gets to write that law. This means three things. First off, the law will likely be written in a way that is so vague that it ends up not only applying to the software in question, but half of the legitimate software ever written. Before you know it, all advertising, security software, operating systems other than windows, and of course, the ping program, will now be considered illegal.. technically. This means that the law will end up not being enforced. Next, they will be sure to word it in such a way as to render it unconstitutional, so next thing you know, the Supreme Court will tie it up for 10 years, and finally kill it. And finally, you can't pass a law without attaching a large number of completely unrelated riders, which will end up causing parties opposed to the riders to vote against and/or filibuster the bill, which causes the other side to insist that the opposing party WANTS people to have their banking credentials stolen... and so on.
  Anyways, to answer your question, Yes. You were simplifying it. It would be MUCH easier to just find a way to sneak a few images of child porn on one of their computers, and shut them down that way. THAT avenue at least seems to have no roadblocks.
  -Restil
  
  --
  Play with my webcams and lights here
2. Re:What...? by ProfessorKaos64 · 2010-04-02 13:33 · Score: 1
  
  Perfectly answered everything. Thanks a million man, see people? There are people on slashdot that arn't constant trolls :)
3. Re:What...? by Anonymous Coward · 2010-04-02 14:38 · Score: 3, Insightful
  
  Look, I know the grandparent was just trying to help, but in real-life people don't do things because of silly slippery-slope arguments.
  The reason that this is very hard for law-enforcement to stop is because it is not being done by lone guys in their parent's basements, but because it is business. As a start, read "An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants", http://cseweb.ucsd.edu/~savage/papers/CCS07.pdf
  You can buy lists of valid credit card numbers, botnets, root-kitted machines, almost anything. The people who sell this sort of stuff often don't even think of themselves as criminals, just businessmen. When selling rooted machines, they often are careful not to touch machines in their own country, so local law enforcement is unlikely to care, and to avoid things like child porn which the police will really come after them for.
  Now, say you are a typical American law enforcement guy and you find out that someone might be involved in this sort of stuff. What do you do? Well, citizens have been complaining about paying taxes so your budget is going to be pretty much nothing. You are also going to be evaluated on how many "bad guys" you catch. And you know that almost as soon as you start investigating that the trail is going to lead to some overseas servers, which means that you are going to have to get the cooperation of law enforcement in other countries. And, you know that even if you get international cooperation then eventually the investigation is going to involve someplace where the local authorities don't care, and all your time will have been wasted. So, knowing this, are you going spend your time starting the investigation? Or are you going to catch a bunch of petty thieves instead and get a nice bonus for stopping crime?
4. Re:What...? by anarche · 2010-04-02 14:40 · Score: 1
  
  Well said, sir! Mod parent up!
  A law banning this would probably pass in Australia (don't start on the filter!). We ban sales of spray paint to minors (in case they graffiti), guns to non-farmers (in case they kill someone) etc.
  Just get your guys to sell a kit to an Aussie scriptkiddie, track em down (filter anyone?) then organise extradition to Down Under.
  
  --
  Wait! Whats a sig?
Malware competing with each other in the market... by gzipped_tar · 2010-04-02 13:23 · Score: 2, Funny

...is still much better than the idea of government-owned, tax-paid malware.

--
Colorless green Cthulhu waits dreaming furiously.
Paraphrasing by DynaSoar · 2010-04-02 15:39 · Score: 1

"What we need are a few good old fashioned hangings." -- FTC commissioner Orson Swindell at the first FTC spam conference. I'm looking forward to hearing about one of the organized crime associated bots getting whacked by one of the competition, and so the owners of the former return the favor to the author of the (temporary) victor. I suspect it's happened already, but not publicized. Sooner or later one will. Then we'll see some real cyberwarefare. You think the US government has got some cyberwarriors lined up? Fugidaboudit.

--
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
Re:It's going to be fixed once it gets big enough. by Alex+Belits · 2010-04-02 22:00 · Score: 1

there's no MITM that can work against that
Of course, there is.
Malware will just replace the account number used in a legitimate transaction with one of the scammer.

--
Contrary to the popular belief, there indeed is no God.
Re:It's going to be fixed once it gets big enough. by Spiked_Three · 2010-04-02 23:00 · Score: 1

Agreed. right now, banks do what they can they can to take the easy road to money. For the most part that means accepting any transaction from anyone with no proof of identity or verification of authenticity on transactions. In specific, the credit card companies are the major source of easy money, and they are supplemented with the greed to make an additional transaction fee. In the US, go to your bank and ask 'who took my money?' At best you will get an 800 number to some robo-answering machine. There is no law or agreement that a bank has to tell you who they gave your money to.
And as long as credit cards can absorb the stolen amounts, they are not going to require authentication, as it will inconvenience the consumer and hurt volume.
It took many years for the recent credit rules to get through in the US that had some small dent on the corruptness of banks and credit cards in the US. But they did not go far enough. What used to be called loan sharking in the US is still legal for 'financial institutions'. We are supposed to elect politicians to represent us, what segment of the population was represented by making it 'illegal to charge huge interests rates for the loaning of money, except for financial institutions' ? That is a blatant and obvious sign of how corrupt our political system has become.
Just wait until the malware authors learn about lobbying.

--
slashdot troll = you make a compelling argument I do not like the implications of.