Large Zeus Botnet Used For Financial Fraud

← Back to Stories (view on slashdot.org)

Large Zeus Botnet Used For Financial Fraud

Posted by CmdrTaco on Wednesday August 4, 2010 @01:36AM from the zeus-shorts-out-his-enemies dept.

An anonymous reader writes "A large Zeus version 2 botnet is being used to conduct financial fraud in the UK and is operated from Eastern Europe. The botnet appears to be controlling more than 100,000 infected computers. The criminals have been harvesting all manner of potentially lucrative and revenue-producing credentials — including online account IDs plus login information to banks, credit and debit card numbers, account types plus balances, bank statements, browser cookies, client side certificates, login information for email accounts and social networks, and even FTP passwords."

68 comments

Min score:

Reason:

Sort:

Oh no by Anonymous Coward · 2010-08-04 01:39 · Score: 5, Funny

login information to banks, credit and debit card numbers, account types plus balances, bank statements, browser cookies, client side certificates, login information for email accounts and social networks and even FTP passwords
I was not mad right up until that last one and even FTP passwords. They can have all that other crap but when they take my precious FTP password, and I use FTP for all my most critical-to-security interent functions, well...war on buddy.
1. Re:Oh no by gad_zuki! · 2010-08-04 02:16 · Score: 2, Interesting
  
  How dare they capture my unencrypted logins?!?! Seriously, its a shame SFTP or FTPS isn't more supported, and by 'more supported' I mean supported by IE and Firefox. I hate how adding encryption to FTP is suddenly "Whoa, whoa, whoa, we only provide basic support on browsers." Funny how they don't say the same thing about HTTPS.
2. Re:Oh no by AndrewNeo · 2010-08-04 02:19 · Score: 3, Informative
  
  I don't know if you honestly expect Microsoft to add useful features to IE, but at least with Firefox that's what addons are for.
3. Re:Oh no by gad_zuki! · 2010-08-04 02:36 · Score: 1
  
  Add-ons arent a solution. Unless a huge install base has it then its not worth using for a general audience. That like saying "Here's an add-on for HTTPS, toodles!" At that might you might as well spend those 30 seconds just installing a stand-alone FTP client that supports FTPS/SFTP instead of trying to shoehorn it into the bloat that is your browser.
4. Re:Oh no by datapharmer · 2010-08-04 03:05 · Score: 3, Insightful
  
  the browser support for ftp is typically intended for anonymous browsing. If you want full fledged support for ftp and its secured variants get an ftp client. I don't complain that filezilla doesn't browse the web well...
  
  --
  Get a web developer
5. Re:Oh no by gad_zuki! · 2010-08-04 04:15 · Score: 1
  
  This is the same mentality that keeps millions of smtp servers using unencrypted plain-text. I really don't think adding basic encryption should be seen as such an extravagant request. Unfortunately, a lot of people don't take security seriously and they are in charge of some pretty major corporations and popular products.
  >the browser support for ftp is typically intended for anonymous browsing.
  Except its not. Even Firefox allows non-anonymous browsing (uses username/passwords) and IE can do uploads. For 99.9% of FTP users, the FTP client is the browser.
6. Re:Oh no by orange47 · 2010-08-04 04:52 · Score: 1
  
  no, because when I see a ftp link to file I want to click on it and it downloads, that simple. I dont want to start a ftp client, then decrypt javascript html to enter pass, change dir... for a single file. damn firefox still doesnt support ACTIVE FTP grrrr
7. Re:Oh no by hesaigo999ca · 2010-08-04 05:34 · Score: 1
  
  I tend to agree with the post post to your post....I think FF should come standard with that, the same as it does for https....you do not need to download extra add on for https, so why sftp
8. Re:Oh no by nstlgc · 2010-08-04 05:39 · Score: 1
  
  At that might you might as well spend those 30 seconds just installing a stand-alone FTP client that supports FTPS/SFTP instead of trying to shoehorn it into the bloat that is your browser.
  I think you just answered your own question.
  
  --
  I'm Rocco. I'm the +5 Funny man.
9. Re:Oh no by cnastase · 2010-08-04 05:48 · Score: 1
  
  This is the same mentality that keeps millions of smtp servers using unencrypted plain-text. I really don't think adding basic encryption should be seen as such an extravagant request. Unfortunately, a lot of people don't take security seriously and they are in charge of some pretty major corporations and popular products.
  That's why you have PGP/Gnupg and the like. Besides, who has time to read someone else's mails? I barely have time to read my own!
  
  Except its not. Even Firefox allows non-anonymous browsing (uses username/passwords) and IE can do uploads. For 99.9% of FTP users, the FTP client is the browser.
  Blasphemy to be honest. Browsers are for por^H^H^Hbrowsing, get an FTP client for massive downloads. Soon you'll be asking for mail servers to allow you to send more than 5M attachments. Who do you think you are? Mooo
  
  --
  Born to raise hell.
Again ... by krzysz00 · 2010-08-04 01:40 · Score: 4, Funny

Breaking News: Another XXl botnet steals bank account numbers. However, the acquisition of emails and Facebook accounts is worrying.
1. Re:Again ... by 1s44c · 2010-08-04 01:52 · Score: 1
  
  Breaking News: Another XXl botnet steals bank account numbers.
  However, the acquisition of emails and Facebook accounts is worrying.
  It's the bank login details that are worth money, not the facebook logins.
2. Re:Again ... by krzysz00 · 2010-08-04 02:37 · Score: 1
  
  Breaking News: Another XXl botnet steals bank account numbers.
  However, the acquisition of emails and Facebook accounts is worrying.
  It's the bank login details that are worth money, not the facebook logins.
  Yeah, but Facebook and emails can be used for social engineering to gain more bank account numbers.
3. Re:Again ... by oldspewey · 2010-08-04 02:40 · Score: 5, Funny
  
  Are you insane? With a facebook login, these people could mess with my FarmVille and CafeWorld apps.
  
  --
  If libertarians are so opposed to effective government, why don't they all move to Somalia?
4. Re:Again ... by daem0n1x · 2010-08-04 06:14 · Score: 1
  
  Massive Financial Fraud? Wait until Wall Street gets their hands on this. It will be a boom!
Version 2 Review -- Why upgrade? by Anonymous Coward · 2010-08-04 01:43 · Score: 5, Funny

Zeus version 2
So, like a good little early adopter, I upgraded and installed version 2 on my machine only to find that it was a huge bloated piece of crap. The original Zeus was so much more simple and elegant and now this thing is just chewing up cycles. Yeah, like the customer won't notice that. Seriously, all I wanted it to do was safely back up my bank statements to a remote server in case I lose them. And after the "Zeus Certified" debacle, I don't know who to believe when I ask "Will this computer run the simplest of viruses like Adobe PDF Reader?" Clearly Zeus is just a resource hog ... and looking forward at Version 3 (if it's even released on time) one wonder if they're even trying to build a quality botnet anymore. It's times like these that make you wonder if it's time to switch over to Mariposa ...
1. Re:Version 2 Review -- Why upgrade? by Necroloth · 2010-08-04 02:45 · Score: 2, Funny
  
  You're right, it's gone downhill since v1. Seems they're running out of good programmers and are being led by business-types who are demanding quantity over quality.
Which OS? by Anonymous Coward · 2010-08-04 01:48 · Score: 0

Is this thing limited to Redmond Operating Systems?
1. Re:Which OS? by fwarren · 2010-08-04 03:10 · Score: 2, Interesting
  
  Probably. Not that it is imposible for Mac OSX and Linux to be compromised. But right now the numbers show that almost all bot net activity comes from compromised Windows PC's.
  The average user wants to be able to use a computer like they use a car, or a door, or a toaster, or a toilet. No need for technical training, no cryptic messages, etc. The problem is a computer is not that kind of device. It is more like an aircraft. If you don't gain some level of technial expertise, it is easy to "crash and burn" the system.
  It is a crime to put John Q Public on the internet with a Windows PC. Watching it is like watchin a baby seal be clubbed to death. They are helpless and have no clue the danger they are in.
  If the government, or banks or anyone with a vested interest in the web being secure (let alone spam free) was serious. Every user would be given a liveCD of some Linux to run on their computer to browse the internet.
  
  --
  vi + /etc over regedit any day of the week.
2. Re:Which OS? by cdrguru · 2010-08-04 04:02 · Score: 2, Insightful
  
  Yes, but can you install WeatherBug on your Linux live CD? No? Then is isn't going to be of any use to the millions of housewives and grannies that have installed it.
  Seriously, a live CD is only of use if you don't want to save anything. And no, you aren't going to get people to boot into an unfamiliar environment to do banking or whatnot.
  The "other" problem is that what is really needed is an Internet Appliance for these folks. No software installs, no executable anything. It does email, web browsing, media playing and not much more. Sure, you probably want capacity to add sanctioned applications over time but it needs to operate a whole lot like an iPad - which pretty much is an Internet Appliance. This would be reasonable and could be extremely secure. More secure than the iPad is today as it has way too much capability of having stuff added to it that could be used to exploit it.
  We have known about the problem for at least 10 years but nobody has done anything real about it. WebTV and a couple of other devices tried, but they were pretty restricted and oriented towards dial-up access at the time. The iPad is the first such appliance that has come along and it will be a while before it can be seen how effective it is and what the acceptance is. Clearly, we need some more wireless devices that are "appliances" that offer a limited walled garden approach and are designed with the idea of being hack-proof from the beginning.
3. Re:Which OS? by maxwell+demon · 2010-08-04 04:02 · Score: 1
  
  The average user wants to be able to use a computer like they use a car, [...]. No need for technical training
  You got your driving license without any technical training?
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
4. Re:Which OS? by ColdWetDog · 2010-08-04 04:49 · Score: 2, Funny
  
  You got your driving license without any technical training?
  The vast majority of (at least US) drivers certainly act like they found a driver's license at the bottom of their Cocoa Puffs box.
  
  --
  Faster! Faster! Faster would be better!
5. Re:Which OS? by GeorgeS · 2010-08-04 05:28 · Score: 1
  
  yup...I didn't have to learn how to gap a spark plug or change the oil or any of that fun stuff. Just had to learn how to "point" the wheels and "click" the right pedals.
  
  --
  "I'd rather have a bottle in front of me than have to have a frontal lobotomy."
6. Re:Which OS? by fwarren · 2010-08-04 07:23 · Score: 2, Insightful
  
  Yes I did. I was not required to learn anything at all about the engine of the car. There is not even a requirement to understand the lights that say "check engine" or "oil". How many RPM's are bad for the car? What should my tire pressure be? How do I open the hood? None of those things are requirements.
  Knowing how to open the door, operate the gas/break, read the stuff in the dash, that is about the same as "put a CD in" or "click on that icon there."
  There is a requirement on how operate a car. Not how to buid, fix, troubleshoot, or maintain one.
  
  --
  vi + /etc over regedit any day of the week.
I predicted this by 1s44c · 2010-08-04 01:50 · Score: 4, Insightful

Botnet herders have access to a very large number of computers, it was only a matter of time until they realized that the data on these computers is worth far more than the few pence they are making from Viagra spam and blackmailing gambling sites with DDOS attacks.
1. Re:I predicted this by JohannesJ · 2010-08-04 02:24 · Score: 1
  
  I'd like to know the 'Security savvy' level of the infected users . Did they surf with administrator credentials ? Follow email links and foolishly install? Had no anti-virus? and What OS version and patch level? Did they all use one particular program which lead to their being compromised ?
2. Re:I predicted this by Delarth799 · 2010-08-04 02:36 · Score: 3, Insightful
  
  Usually people who end up infected with this sort of stuff are the same people who ignore the patches and updates for the operating system, which usually happens to be windows. They almost never download and install the updates because it slows down their web browsing or whatever and to them they just see it as an annoyance. They likely have only the most basic of anti-virus software installed and never actually bother to run it, or they just don't have anything at all. They click on ads left and right because it says "free download" or some other crap and they probably wouldn't know that the advertisement for free wallpapers or whatever could do anything bad to their computers. The people who usually get infected are the same across the board sadly enough, they don't care to take a few basic steps to protect themselves and take the 20 minutes or so to just get some good anti-virus software on their computer and run it once a week or not open and download every advertisement they see and click on every link in every email they get which is probably where most of them get infected from. Now I am sure there are a small percentage who are very tech and security savvy and take good measures to stop infections and whatnot and something may have slipped through, but again that's likely a very small percentage.
3. Re:I predicted this by moreati · 2010-08-04 03:20 · Score: 2, Informative
  
  You do realise this isn't the first incidence? Botnets have been installing key loggers and stealing sensitive data for years now. Credit card numbers harvested thus sell for a few dollars/thousand.
4. Re:I predicted this by Anonymous Coward · 2010-08-04 03:23 · Score: 3, Insightful
  
  They simply did like my wife and my mother-in-law, they pressed "okay" when the pop-up came asking them to install this weird executable that they didn't ask for. They just wanted the pop-up to go away, you see.
  Firewall, anti-virus, tea-timer, a host of other security measures... but you can't fix the user.
5. Re:I predicted this by Anonymous Coward · 2010-08-04 03:29 · Score: 1, Interesting
  
  Should it matter? Dell and Best Buy didn't educate them about the security hazards of using Microsoft Windows(R).
  Is it BMW's (and their dealers) responsibility to tell the buyer of any operability issues inherent in the car before purchase?
  Yes.
6. Re:I predicted this by orange47 · 2010-08-04 04:58 · Score: 1
  
  gee, no shit, sherlock.. except when they get caught for this (and some surely will) it won't be the same situation as with viagra spam.
7. Re:I predicted this by ralphdaugherty · 2010-08-04 05:15 · Score: 1
  
  Botnet herders have access to a very large number of computers, it was only a matter of time until they realized that the data on these computers is worth far more than the few pence they are making from Viagra spam and blackmailing gambling sites with DDOS attacks.
  I happened to be working on my site at 4am (EDT) this morning and got hit simultaneously by several bots that turned out to be from major US universities. Not only do they own university networks, but use them to recruit others, so to speak.
  rd
That's awesome, but... by Securityemo · 2010-08-04 01:51 · Score: 1

One detail in the report struck me: the claim that they capture all web traffic and store it in an SQL server w/ a search frontend at CNC. This is evidently unfeasible, they would have to filter out only data posted into forms and the like. It would have been helpful had the report told about what "shape" this data took, what kind of auth mechanisms was leeched from. They had no whitepaper/analysis on their website, but there was this OS distribution pie chart: http://www.trusteer.com/sites/default/files/ZeusbotnetOSstats.jpg
Still, imagine having a line into that kind of setup, on a pay per-password-search basis.

--
Emotions! In your brain!
1. Re:That's awesome, but... by Anonymous Coward · 2010-08-04 01:54 · Score: 0
  
  No Windows 7, No OS X, No Linux?
  Supprisingly as all new machines are OS X or Windows 7 and MSFT have pushed out a tonne of updates to Windows 7 for diff checking.
2. Re:That's awesome, but... by RivenAleem · 2010-08-04 02:04 · Score: 2, Funny
  
  As a precaution I've changed all my passwords to "DROP TABLE Stolen Data"
3. Re:That's awesome, but... by Anonymous Coward · 2010-08-04 02:06 · Score: 0
  
  You're doing it wrong, it's:
  x'; DROP TABLE Stolen Data; --
4. Re:That's awesome, but... by RivenAleem · 2010-08-04 02:11 · Score: 2, Interesting
  
  On a side note, it would be interesting to use x'; DROP TABLE Passwords; -- as my actual password for email, banking etc, and see if A) my password is hashed for that site, and B) if it destroys their databases
5. Re:That's awesome, but... by Securityemo · 2010-08-04 02:41 · Score: 3, Insightful
  
  Anyone doing that would be liable ten ways till Sunday. Anyone doing that to several banks would be called "A one-man super-hacker ring bent on destroying the western economic system."
  
  --
  Emotions! In your brain!
6. Re:That's awesome, but... by Necroloth · 2010-08-04 02:47 · Score: 0, Redundant
  
  oblig XKCD strip
7. Re:That's awesome, but... by Anonymous Coward · 2010-08-04 03:44 · Score: 0
  
  Woosh!
Always wondering... by euyis · 2010-08-04 01:51 · Score: 2, Interesting

How do the criminals process all the information and filter out the valid ones?
Considering all these weird captchas on the login pages, I don't think it's possible to check every collected bank account automatically, and doing that manually would be too tiring.
1. Re:Always wondering... by Securityemo · 2010-08-04 02:04 · Score: 2, Insightful
  
  Too tiring - compared to what?
  
  --
  Emotions! In your brain!
2. Re:Always wondering... by Sockatume · 2010-08-04 04:11 · Score: 1
  
  Not all services use captchas. I'd guess that most assume that if you're a bot trying to log in, you will make multiple attempts and can be locked out of making futher attempts. How many architects would think to protect against automated entry of the correct credentials?
  
  --
  No kidding!!! What do you say at this point?
3. Re:Always wondering... by mcgrew · 2010-08-04 05:56 · Score: 1
  
  Do you have any idea how big a computer a large botnet makes?
  
  --
  Free Martian Whores!
Time to go back to phone banking by davidwr · 2010-08-04 02:04 · Score: 3, Insightful

Hmm maybe we should go back to phone banking. It's not like phones can be easily hacked to sniff passwords.
Oh wait, I forgot, we aren't in the 1980s any more. Nevermind.
I think I'll do my business in person now. I'll just have to make sure the Russian Mafia doesn't set up a look-alike storefront down the street that looks like my bank's latest branch office.
Sigh.
Well, at least I know my currency is real.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
1. Re:Time to go back to phone banking by Anonymous Coward · 2010-08-04 02:17 · Score: 0
  
  Umm, using an ATM is not banking "in person" and a fake ATM is not a "look-alike storefront that looks like your banks latest branch office".
2. Re:Time to go back to phone banking by Anonymous Coward · 2010-08-04 03:01 · Score: 1, Informative
  
  The nice grandparent poster referred to the fake ATM as an example of the kind of thing that the Russian Mafia does, and implied that they might set up a fake branch office next. I believe it was a humorous exaggeration.
Conficker design is second to none by Anonymous Coward · 2010-08-04 02:06 · Score: 5, Funny

Mariposa is just as bloated - if not more so.
not only that, its less secure because it doesnt have a "benevolent dictator" calling the shots design-wise.
im running Conficker and its been working like a charm. granted, its market share is not that great, and as long as you hold the mouse the right way, it "just works".
honestly, i think this will be the year of the Conficker. Mariposa and Zeus are just too behind the curve.
No shit by PPalmgren · 2010-08-04 02:09 · Score: 1

Really? Botnet used for financial gain, just like every other botnet in the past decade?
I'm flabbergasted!
Re:It's RUSSIA you fucking DWEEB !!!! by Threni · 2010-08-04 02:42 · Score: 2, Informative

> Eastern Europe? What the fuck is this "Eastern Europe"? Have you ever been to the "Western Europe?" You are one fucking asshole, dweeb !!
Uh.. I'm in the UK, which is in Western Europe. This botnet is believed to be operated from the Ukraine, amongst other places, and Ukraine is in Eastern Europe. Got it now?
Well my machine is safe by countertrolling · 2010-08-04 02:42 · Score: 3, Funny

I do all my banking at an internet cafe

--
For justice, we must go to Don Corleone
Large? I'll show you large! by Impy+the+Impiuos+Imp · 2010-08-04 02:44 · Score: 2, Insightful

Large Zeus Botnet Used For Financial Fraud
The botnet appears to be controlling more than 100,000 infected computers
Is that really large nowadays?

--
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Pardon me, I have to ask... by Xaedalus · 2010-08-04 03:33 · Score: 2, Funny

If you want Linux, Ubuntu, and the rest of the free OS's to stay superior and exploit-free, then why on earth would you ever want mainstream acceptance of said OS's? Wouldn't Linux et all going mainstream and replacing Windows/OSX mean that the botnets (and their owners) and scriptkiddies would then change their tactics to exploit whatever's currently dominant in market share?
If I were you, I'd be praying to the FSM for Windows/MS to stay dominant forever, just so that you could continue to use Linux without fear of someone writing script specifically to target YOUR OS's weaknesses. But that's just me

--
Here's to hot beer, cold women, and Glaswegian kisses for all.
1. Re:Pardon me, I have to ask... by Shompol · 2010-08-04 03:55 · Score: 1, Funny
  
  Wouldn't Linux et all going mainstream and replacing Windows/OSX mean that the botnets (and their owners) and scriptkiddies would then change their tactics
  Yes, they would, but with two orders of magnitude less success. You see, windows is a crapware operating system built on the cheap, somewhat based on with DOS. Redmond's strong point is marketing, not quality. With closed source code you are guaranteed that security holes will be found perpetually, because not as many people can review the code.
  On the other hand, Linux is based on UNIX, where even file system had built-in security system, while DOS was happily crashing the whole OS when your current app went down.
  
  you could continue to use Linux without fear
  A little beside the point, but being a nerd, i will move on to the next fledging technology when Linux (or another GNU OS) becomes dominant, and I don't doubt that it will happen.
2. Re:Pardon me, I have to ask... by jbeach · 2010-08-04 05:51 · Score: 4, Insightful
  
  It seems clear to my personal experience, and friends of mine who are in computer security, that Os X and Linux are orders of magnitude more secure than Windows.
  
  While I'm sure OS X and Linux can be exploited, I think we'd all be far safer if they were adopted to anywhere near the ubiquity of windows. And who knows? That may be soon, if Google apps and other productivity software is available for free or cheap as compared to Windows, and its current lock on business drone software.
  
  --
  The Invisible Hand of the Free Market is what punches workers in the nuts.
FTP by davidwr · 2010-08-04 04:26 · Score: 1

I keep my Financial Password Protocol password written down on a piece of paper, locked securely in a safe-deposit box in one of Warsaw's larger banks.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
1. Re:FTP by Anonymous Coward · 2010-08-04 04:35 · Score: 0
  
  You moron, you couldn't even get the initialism right. FTP, not FPP. Good job!
2. Re:FTP by Anonymous Coward · 2010-08-04 04:55 · Score: 0
  
  I don't know why but I lol'd.
3. Re:FTP by Anonymous Coward · 2010-08-10 14:27 · Score: 0
  
  thank you, now we at least know where to start searching!
Oh no!! by Anonymous Coward · 2010-08-04 04:27 · Score: 0

Bankaccount details, ID details, I don't care about.
But even FTP passwords?
Eastern Europe by ThatsNotPudding · 2010-08-04 05:23 · Score: 2, Funny

Given that virtually every botnet seems to originate in Eastern Europe, I can only assume that neck of the woods is now an endless tableau of McMansions, world-class prostitues, and Mercedes dealerships.
Conficker Fanboy! by BigSes · 2010-08-04 06:16 · Score: 3, Funny

I'm sick and tired of all these Conficker fanboys. You sit and talk about your botnet being so great because its open source, and you can expose your information to any malicious actions you choose, big deal! I'll take my Mariposa walled garden any day, at least I know that I can give up my SSN, mother's maiden name, and current home address and I know it will "Just Work" when it comes to stealing my data.
1. Re:Conficker Fanboy! by oldspewey · 2010-08-04 07:16 · Score: 3, Funny
  
  If anybody needs proof that Mariposa is the superior botnet just ask yourself this question: is anybody lining up for 12 hours in the rain to get trojaned by anything else?
  Exactly
  
  --
  If libertarians are so opposed to effective government, why don't they all move to Somalia?
CUZ THAT IS ALL THEY KNOW TO DO by Anonymous Coward · 2010-08-04 07:44 · Score: 0

We are fucking scoundrels, thieves, and third-world scum of the earth. Donchano? We are EASTERN EUROPEONS! I surely take from you for it longs to be mine. Thank you for your support!
1996 called by Anonymous Coward · 2010-08-04 08:40 · Score: 0

they want their botnet ideas back.