Slashdot Mirror
Zeus Attackers Turned the Tables On Researchers
ancientribe writes "The attackers behind a recent Zeus Trojan exploit that targeted quarterly federal taxpayers who file electronically also set up a trap for researchers investigating the attack as well as their competing cybercrime gangs. They fed them a phony administrative panel with fake statistics on the number of Zeus-infected machines, as well as phony 'botnet' software that actually gathers intelligence on the researcher or competitor who downloads it."
I'm being a bit sardonic here, but why can't we have commercial software that we pay for this well thought out? Of all the categories of software (games, utilities, Office suites), malware has evolved from being CPU/disk/memory hogs to some of the leanest and most well coded executables that ever hit a CPU on the planet.
Come on, who wouldn't have thought of that?
The devious, insidious bastards. It's exactly the sort of thing your average armchair-spamming-fantasist would concoct before decrying that the world is full of idiots and they would make a much better criminal, if only they had the time to learn how to code. I mean, it's creative and ridiculous on a par with bad-scifi plot twists.
A bit scary but, well, I'm impressed.
Meta will eat itself
The lesson is for people (including researchers) to be more skeptical of who is sending you email and what it contains.
If they had realized the email was fake and deleted it, this attack would not have worked.
He who knows best knows how little he knows. - Thomas Jefferson
Because they have an incentive your normal software maufacturer doesnt have. It has to work as supposed to it has to ship.
Give current software companies a reason to code properly and the quality will take a big jump with almost no effort at all. Like, i dont know, any guaranties whatsoever the stuff works?
HTTP/1.1 400
This only happens when the coders profit directly from their work. As long as they're paid a salary to crank out code for someone else, they'll only do what they have to.
The bad news about botnet operators, malware authors, and other black hats: they aren't stupid.
So, you could call this a researcher honeypot... and apparently these guys got caught with their hand in the honey. Is it really a surprise after this tactic has been used by security researchers for over a decade?
I'm being a bit sardonic here, but why can't we have commercial software that we pay for this well thought out? Of all the categories of software (games, utilities, Office suites), malware has evolved from being CPU/disk/memory hogs to some of the leanest and most well coded executables that ever hit a CPU on the planet.
Autocratic program management and immediate, process-lethal negative feedback.
And like any high impact criminal activity, vast egotism in clever design and ultimate control.
You can't get it because you are unable or unwilling to pay top dollar for quality software that works. By contrast Botnet owners, Wall St firms, and the Chinese government are willing to pay top dollar for software which functions perfectly and reliably and indeed do so.
It should also be noted that when software companies attempt to cross such buyers by providing less than stellar product, they tend to end up regretting it. The average user by contrast keeps buying Windows, Office, Norton and DVD codec software no matter how much they get burned. The incentive to produce quality software for the general user simply doesn't exist.
May the Maths Be with you!
So, you can't trust software from malware vendors?
That's a very good point. Pretty much every piece of software out these days has a EULA declaiming responsibility for anything that happens with the software, up to and including serious financial harm. If your toaster catches fire and destroys something, you would obviously expect the people who made it to be held liable; not so with software. If Communism proved anything it's that if you uncouple effort from reward, people won't go the extra mile (and spend money to get there).
How do you kill that which has no life?
Pretty much every piece of software out these days has a EULA declaiming responsibility for anything that happens with the software, up to and including serious financial harm.
And just like with pretty much every piece of open source software as well?
This isn't really the case. Often we face the situation where we can either not get management to allocate time to fix something, or permission to merge an existing fix into the main branch. A lot of bugs are known and developers want to fix them, but can't.
but why can't we have commercial software that we pay for this well thought out?
What, you think your commercial software isn't covertly tracking you and gathering data on you?
I invite you to look at your TCP connections and all those instances of svchost.exe running on your system... and you never had to click "Allow" to let them communicate over the net.
Seven puppies were harmed during the making of this post.
It has nothing to do with the cost of the software. Extremely expensive enterprise software are often just as crappy as any cheap crap out there, sadly sometimes even worse. The difference is that the expensive software has highly trained personnel supporting it, carefully not doing anything not throughly documented and tested.
Personally im convinced laws demanding responsibility from software firms would benefit them as well as it would put an end to the feature frenzy from the marketing departments. In the end the software would be cheaper to develop and manage, not more expensive.
HTTP/1.1 400
Why don't commercial programs have such high quality and thought out design? Simply because there's not enough money in it. The writers of these programs (the Bad Guys(TM)) make far more money on their work than legit companies do. Plus they have real reasons for being so good: stay out of the gulag. How do you think products like Norton Antivirus got to be such pieces of crap? Make what sells instead of what works. The Bad Guys(TM) have the exact opposite motivation. Make what works, and the money starts coming in. They sell to vulnerable machines and other Bad Guys(TM) and if it doesn't work well, their paycheck doesn't get very big.
In other words, big companies don't need good programming and quality checks. They have marketing departments.
Nobodies Prefect
Tidbits for Techs Technology Blog
Because those aren't what marketing prioritizes. Generally a company needs to sell the software and get it out it's doors, how well it performs only affects some vague future release. Botnet guys live or die by the performance of their software, they can take the time to get it right and "when it's ready".
So the lesson is, if you want to make quality software that makes you beam with pride, stuff you could put in "Beautiful Code" you ought to be a virus writer. ;)
Cwm, fjord-bank glyphs vext quiz
If your project fails to meet standards, deadline, or perform acceptable you might end up in a hole in the ground.
At microsoft I'd imagine you could stare at a picture of steve ballmer for 8hrs a day and get employee of the month.
I'm being a bit sardonic here, but why can't we have commercial software that we pay for this well thought out?
Because they don't have the same marketing departments forcing out premature releases.
Damnation, I thought we drove all you Microsoft devs out from here a long time ago!!!!!!
This is where i feel some sort of law should be put in place to put pressure on management. It has to be punished to willfully ship faulty software. Right now its just a PR problem some companies just throw stuff like SDL at (and then just ignore it internally).
HTTP/1.1 400
I invite you to look at your TCP connections and all those instances of svchost.exe running on your system... and you never had to click "Allow" to let them communicate over the net.
And I invite you to use SysInternals’ Process Explorer and find out what those actually are.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
One quick observation: system-level programmers tend to be talented and have a high degree of skill, while application programmers, in many cases, do not have the same level of education or expertise.
I would guess most of the criticism below towards commercial software is directed towards application software.
An advanced malware author is almost certainly going to fit more into the systems-level programmer category. These are not people who just picked up a C# book three years ago. These are people who eat, sleep, and breathe computer science.
Size of teams and software are probably also a factor. Malware is probably going to be written by a handful of focused programmers, not a 300-person team using five kinds of bloated "platforms."
When you name something "Zeus", you gotta be able to plan and code above than normal.
As someone who has been in the position of putting software into production use (internally) that was known to be unproven (to put it mildly), I think you'd have to impose the death penalty in a particularly slow, public, and humiliating way for that to work. Though it might be a good idea to try.
I'm being a bit sardonic here, but why can't we have commercial software that we pay for this well thought out?
What are you talking about? We totally do!
That program that Jim in IT whipped up last night? It doesn't actually calculate the revenue for this quarter, it just displays a pre-made chart when you press the button, thats all. Basically the same thing here.
Yes, but most of the OSS is gratis, so a warranty wouldn't make sense, because there's no sale.
If I were to pay for that OS software, I'd expect a warranty like in any other sale.
Dilbert RSS feed
The OP never stated that he was only talking about closed-source software....
Yes, you understand perfectly.
How do you kill that which has no life?
Like a two year minimum warranty? The EC is looking into that.
Dilbert RSS feed
malware has evolved from being CPU/disk/memory hogs to some of the leanest and most well coded executables
Except for a time in early 2000s when there was a slew of trojans written in Visual Basic and such, malware used to be lean. Don't you remember those 200 byte long viruses from 1980s?
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Open source software is software, no? OP didn't say anything about the method of creation.
This is almost as stupid as claiming SELinux was spyware coded by the NSA to infect Linux. What is it with the relation between aging and lunacy in some people?
You can usually pay more to have guarantees. Militaries and industries sometimes do that. Are you ready to pay more money (like 2x or 3x) for software ? Arguably Apple does (used to do) a good job in this area.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
I thought we agreed to not use the word 'cybercrime' !
I think Vista introduced a change to taskmgr which supports right-clicking on a process to discover its hosted services. Or you can just run tasklist /svc.
This.
Money helps develop good software of course, but it doesn't change the fact that bad software engineering practices lead to bad software. No matter how much money is thrown at it, it won't make your teams do things in a manner close to "the right way."*
* Definitions may vary
Q.E.D.
Find them.
Shoot them.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
You can usually pay more to have guarantees. Militaries and industries sometimes do that. Are you ready to pay more money (like 2x or 3x) for software ? Arguably Apple does (used to do) a good job in this area.
Arguably?
I think you mean "ignore and discredit all legitimate concerns"-ably.
Apple is like the Iraqi information minister and the KGB rolled into one when it comes to:
Silencing complaints on their own forums
Holding press conferences to lie about design defects
Advertising about their superior security while silently patching dozens of exploits months after they're made public
Releasing products that simply don't work (Time Machine, anyone?), only to patch them to almost working months later
Charging for updates and blaming SarbOx and accounting rules (The truth is they don't want to disclose to investors how much development and support costs are for particular products each year, because that will hint at when they're end-of-lifing products and rolling out new ones. Instead, they list those costs as fixed and not continuing, then say the updates are wholly separate endeavors.)
I'll shit on Apple's products all day long because they suck, but if some people like them, that's fine.
But there is no way anyone with a brain can honestly say Apple's products are technically superior, or that they handle their shit better than any other tech company.
Most "commercial" software must do everything (or multiple things) and by nature are complex. But to your point, what would YOU be willing to pay for, and can you give examples? Everyone likes to pick on MS Office, but I use it at work, and it does a ton of stuff all pretty well. Integration with Outlook and other MS apps is not all that bad considering the scope. But, that's big and complex, and has a UI. You're making a comparison of apples and tomatos.
Forgetting Linux apps completely, I'll pick an app that does fit your criteria... Irfanview. Small, robust, fast, and well worth the price - free. I am sure with a little thought you can come up with some too.
My beliefs do not require that you agree with them.
Oh, come on! What kind of hacker, ESPECIALLY the ones who work on the Zeus botnet code, would let a string go unescaped? It's even a login string, and that's step 1 in learning to stop SQL injections. What's more depressing is that the security researchers actually thought they could get in via sql injection. Wow.
You have clearly not reverse engineered malware before.
There is good, well written, well thought out stuff out there. But it is not the norm.
Devil's advocate: Apple has not done anything that other company's have not. Killing forums articles? I know a number of places that will do that. Press conferences for damage control? Yep. Charging for updates and pointing the finger at SOX? I have seen some strange things in the name of Sarbanes-Oxley compliance including SOX compliant ball gags. Security? Yep. Releasing stuff because the marketing department says so even though it doesn't even build? Yep.
In fact, this sounds like almost every hardware and software maker out there.
I never saw it that way, being a developer myself, I tend to want to not believe what you say, but the model is appallingly apparent. If we saw money based on if our software works instead of just by selling this greatly packaged piece of crap, you might make windows come down to its knees.
It would be nice to start having a new business model for softwares at the office where the usage is rated based on how many bugs there are, thereby affecting the monthly rate to use the software.
Not only that, but nowadays, people have become so desensitized by poorly written software in the past, that despite paying for them, they actually expect the software they bought to crash every once in a while. They honestly believe that if a program breaks, they can just run it again, and it will work better the next time, despite the whole point of a program being to run exactly the same under the same conditions.
As a result of this, peopl-- I mean, consumers, expect all software to be buggy and unpredictable. There is no market demand for well-written code.
The difference is that FOSS programmers tend to also USE their software. So the effort is not uncoupled from the reward. But, good thinking.
I've moderated this +1 Interesting, but I wanted to note that that article is a year and a half old (2009-05-09) and therefore might have since been successfully repressed by the BSA and similar powerhouses.
For a simple reason: coding exploits is fiddly, extremely fiddly, and if all the code is constructed using tweezers and needle by an exploitation expert it becomes secure almost automatically?
Emotions! In your brain!
It has nothing to do with the cost of the software. Extremely expensive enterprise software are often just as crappy as any cheap crap out there, sadly sometimes even worse. The difference is that the expensive software has highly trained personnel supporting it, carefully not doing anything not throughly documented and tested.
After watching a "big name" wall street firm experience multiple outages in a new trading system, ultimately bringing it down for DAYS, as the users talked to the OVERSEAS developers I would agree that money paid isn't always an indication of quality.
(the only reason it probably didn't make headlines is that the old system was still in place for redundancy as they ramped up the new one, so from an external perspective nothing happened ... which is as it should be)
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
Scanning Corporation now, please wait...
Scanning...
Scanning...
There have been 6,553 profit(s) found in your Coporation today! Congratuations!
Click now to give an automatic bonus to the software engineers who work for Corporation!
Note: It is strongly recommended to perform this Scan on a regular basis and by clicking above, you have agreed to perform this Scan every week.
"A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
From the article, it sounds like the honeypot was only discovered after the REAL botnet was pwned. I don't see any claim that it worked. The article says potential targets of the honeypot were researchers and competitors. I suspect the primary target was competitors. The researchers surely know they are likely being monitored and to treat anything they find with suspicion.
Prov 9:8 Do not rebuke mockers or they will hate you; rebuke the wise and they will love you.
"They have marketing departments." ;) Lots of 'em
- and lawyers
AC
ha, I struck a nerve and some app programmer modded me down.
200 bytes? That was a BIG virus in the 1980s! There were viruses twenty bytes long back then. But of course, all software was a whole lot leaner, by necessity.
Free Martian Whores!
It has to work as supposed to it has to ship.
If this sentence had been malware then it might have been better thought-out.
Answer the question in my subject-line, & I'll post the link where I put that up YEARS ago, as to HOW to use that program, in detail to do what you're stating (which is NOT much to do, but as per usual, you lack the details how to yourself here)!
Funniest part is, & I KNOW you read it (because you're a "great nitpicker" but not much on provable accomplishments you've done in this field yourself, lol), & that?
That was in a debate I had with you that SHOWED YOU, that very program's mechanics for this type of work (AND how to use it, in detail)...
http://slashdot.org/comments.pl?sid=1640368&cid=32155438
LOL, you TRIED to "cut down my guide" for Windows security too, but the hilarious part is you're NOW using techniques from that very guide here... lol, "will wonders NEVER cease"?
APK
P.S.=> Details, clone, details... (Which YOU of course, omitted, as to HOW to do that with Process Explorer, via its DLL View panel (you're "big" on that, as usual as you were in coding (shall I post that link too?), in lacking specifics for folks)).... apk
I was expecting you to say that they don't have to pay taxes ;)
https://zeustracker.abuse.ch/monitor.php?filter=online
(So, first of all - someone please tell me that the site above's NOT what this article's about!)
Above all else? Thanks for the information (& I will have to wait until the parent site the article here links to cuts that message I see below thusfar on this)).
I use the site above to populate a custom HOSTS file vs. the ZEUS botnet is why!
APK
P.S.=> Now, I sincerely *HOPE* that's NOT the site being spoken of here, in the URL I posted above, & MAINLY because the funniest part is, I cannot verify what this article's about now!
I.E.-> From here @ least? Well, it appears has the main site for this article has been "/.'d" - "pseudo-DDOS'd" by this being posted here!
E.G.-> I keep getting this damned message from the linked to article:
302 Moved Temporarily
for HOURS now, no less!
Anyhow/anyways - I say that & I wonder, because it's AMAZING how many other sites are linking to this very site for this article, & you can check google on that much, just by searching the title of this article here (which, of course, works out GREAT for CmdrTaco & crew here though, the "bright-side" of it I suppose @ least))... apk
Botnet owners, Wall St firms, and the Chinese government are willing to pay top dollar for software which functions perfectly and reliably and indeed do so.
You've never seen any of this software personally or you would never make that statement.
(Anonymous for the obvious reason)
Note to self: even an anon reply will wipe moderation ... sorry icebraining.
GOT IT NOW, "whew"...!
The "Article moved" message I was seeing is GONE now (@ least in my LINUX/KUbuntu setup for multi-boot here, but not in Windows 7 "oddly" - however, I strongly suspect it's because I do NOT use OpenDNS there in my Linux bootup, only in Windows7, @ least, thusfar (which protects me sort of, vs. waiting on DNS servers & what-not to update)) & thank goodness:
Apparently? Well - Thank goodness, again, that the article is NOT about the site I use that I saw in a cursory skim so far while in Linux, & noted in my 1st post (because that site url below next IS what I use the populate my custom HOSTS file vs. this botnet, which is this one (again) -> https://zeustracker.abuse.ch/monitor.php?filter=online )...
APK
P.S.=> I'll say 1 thing though: LOL, those "bastidges" (Roman Maroni, lol) had me more "spooked" by this article & what they did (they being the "malware crew" that make this botnet) than I have been by malware in general, in ages... whew, what a RELIEF - but, I have to hand it to them, what a pack of cagey bastidges these freaks are! apk
There's a reason why the GPL, and indeed most software licenses, include the phrase, "THIS SOFTWARE IS PROVIDED 'AS IS' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES". Even in the absence of a sale, there could be an implied warranty. Of course, IANAL so YMMV.
You obviously never lived in Krushchev's USSR.
Mod Me Up. You'll make a grown man cry.
Who the fuck is ap?
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
See subject line above, and my former posting. Says/Proves it all...
APK
If it works well enough, why fix it? Virus and malware were not doing their job well enough, so someone wrote the better code. It is all quite simple actually.
Slowly waving my hand - "This is not the sig you are looking for."
"I would never invite anyone to use APK ShitWare Garbage 2000+++ or whatever the hell you call it... unless perhaps they enjoy self-inflicted misery or want to try running it in a VM just to see how bad it really is." - by clone53421 (1310749) on Friday November 05, @11:10AM (#34136288)
Hmmm, it appears that in regards to the quality of my work in software alone (not in security or articles related material either which I also have to my credit that did well)? It appears that 12 respected & reputable publications and their professional personell disagree with you:
---
Windows NT Magazine (now Windows IT Pro) April 1997 "BACK OFFICE PERFORMANCE" issue, page 61
(&, for work done for EEC Systems/SuperSpeed.com on PAID CONTRACT (writing portions of their SuperCache program increasing its performance by up to 40% via my work) albeit, for their SuperDisk & HOW TO APPLY IT, took them to a finalist position @ MS Tech Ed, two years in a row 2000-2002, in its HARDEST CATEGORY: SQLServer Performance Enhancement).
WINDOWS MAGAZINE, 1997, "Top Freeware & Shareware of the Year" issue page 210, #1/first entry in fact (my work is there)
PC-WELT FEB 1998 - page 84, again, my work is featured there
WINDOWS MAGAZINE, WINTER 1998 - page 92, insert section, MUST HAVE WARES, my work is again, there
PC-WELT FEB 1999 - page 83, again, my work is featured there
CHIP Magazine 7/99 - page 100, my work is there
GERMAN PC BOOK, Data Becker publisher "PC Aufrusten und Repairen" 2000, where my work is contained in it
HOT SHAREWARE Numero 46 issue, pg. 54 (PC ware mag from Spain), 2001 my work is there, first one featured, yet again!
Also, a British PC Mag in 2002 for many utilities I wrote, saw it @ BORDERS BOOKS but didn't buy it... by that point, I had moved onto other areas in this field besides coding only...
Lastly, being paid for an article that made me money over @ PCPitstop in 2008 for writing up a guide that has people showing NO VIRUSES/SPYWARES & other screwups, via following its point, such as THRONKA sees here -> http://www.xtremepccentral.com/forums/showthread.php?s=ee926d913b81bf6d63c3c7372fd2a24c&t=28430&page=3
---
Have you even ever REMOTELY done the same as I had (while you where still in diapers most likely) in this art & science of computing?
No, and we BOTH know it: You're trying to put myself down, which is hilarious, when you don't even have a pot to piss in and you certainly are not my peer in this field because of your lack of having done anything worthwhile at all in it...
---
"For those who aren't already familiar with APK (sit down, have the kleenex handy... and don't complain to me later if your face hurts from laughing so much):" - by clone53421 (1310749) on Friday November 05, @11:10AM (#34136288)
Oh, you mean the pack of fools from arstechnica who were caught impersonating me there and on one of their members' website in Jeremy Reimer? As to any code there people might produce as well (this is hilarious too)??? I had to correct their CoolMon program's author on his work, he wrote it completely without err traps and if someone turned off performance monitors on their system (saves CPU/IO/RAM etc.), his work would fail.
Hilarious - because if you're going to write a program? Learn to do error trapping at least, and know what you're programming around above all else (he clearly demonstrated he did not).
Please - is that the "best you've got"? In failed attempts at an adhominem attack on myself, no less as well?? LMAO...
APK
P.S.=> Point-Blank/Bottom-Line here: Show us you've done anything of the likes which I have above, Clone, & then maybe, JUST MAYBE, someone will pay you any mind... we'll be waiting (lol, to the "12th of never" for you to even get anywhere NEAR that list of mine above)... apk
Google still says your shitware is a virus.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
My app's listed @ CA that way, albeit w/ zero threat levels (the same has happened to Dr. Mark Russinovich of Microsoft, as well as Nir Sofer of NIRSOFT (both do good tools too, but like my tool (1 of 27 in the toolset)? They have tools misjudged this way also)).
Nir Sofer & I had a HUGE discussion on it in fact, write him yourself if you wish in regards to that much.
However, Computer Associates? Yes, they're really "reputable" (not) - see below:
---
Computer Associates Accounting Scandal
http://www.corporatenarc.com/cascandal.php
?
---
CA also listed my ware with zero threat levels, because it's NOT scriptable, and it wasn't written to be a malware... In fact, on the advice of an attorney, John Lowe Jr. of Hiscock & Barclay? Well, I took the CA 21 point removal test, and did not fail a single point on it, hence, why my app is there with zero threat levels (and was listed by CA under my MIDDLENAME, even though it shows my full name in it, which was really LOW of them, trying to hide it from me as well (this I confronted Mr. Craig Jensen of CA on in fact by phone).
(Your "sources" keep getting less & less reputable there, eh, Clown? Arstechnica screwups who impersonated me and wrote software I HAD TO CORRECT FOR THEM?? LMAO - please... you're making me laugh, & this one tops the cake!)
APK
P.S.=> You still can't show you've ever done anything in this art & science of computing either, so you can try your ad hominem attacks, but you're still just unwilling to admit you're just another /.'ing "ne'er-do-well"... lmao! apk