Slashdot Mirror
SpyEye Botnet Nets Fraudster $3.2M In Six Months
wiredmikey writes "The SpyEye Trojan has a well-earned place of respect in the cyber-underground as an adaptable and effective piece of malware. Those same traits have also made it a bane for countless victims and the security community, and new research provides yet another reminder of why. According to security researchers, a hacker in his early 20s known by the alias 'Soldier' led a bank fraud operation that netted $3.2 million in six months. Powered by the SpyEye crimeware kit and aided by money mules and an accomplice believed to reside in Hollywood, Soldier commanded a botnet of more than 25,000 computers between April 19 and June 29 that compromised bank accounts and made off with the profits. Most of the victims were in the U.S., but there were a handful of victims in 90 other countries as well. Among the affected organizations were banks, educational facilities and government agencies."
Is that the victims were generally NOT the people who allowed botnets to run on their computers. Because if they had been, maybe that would have been just punishment for harming the common good by allowing malware.
This is 2011. Personal computing has existed for, depending on just how you measure, about 35 years. I've been using them that whole time, and have NEVER, not once, had any form of malware. It just isn't that hard, and people have had 35 *years* to learn to not run shit. It's time we start holding people responsible for the results. In this case, the owners of those 25,000 compromised machines should be responsible for the 3.2 million that was lost. It should be their responsibility to pay it back.
If people drive carelessly and crash into a crowd of people, we hold them responsible. If an engineer designing a bridge is careless and the bridge falls down as a result, we hold them responsible. It's high time we start holding people responsible here as well. If you can't act responsibly, then you don't get to be on the public internet with everyone else, just like if you can't drive responsibly we eventually take away your license. You are still free to drive on your own private land, just like you're still free to use your computer on your own private network, but you don't get to use it where the rest of us are trying to be responsible citizens of the online community.
35 *years*. Time to fucking stop running malware. Yes, the botnet operators also are responsible, but that doesn't mean the owners of the compromised systems are NOT. They are as well.
Click here to unlock your account [notification.zip].
I know it's a crime and all, but should we feel sorry for people who get scammed because they're just that gullible? I know plenty of people who are.
And... when are we going to "fix" the email system to prevent this? It's the same system that was designed when there were 1,000 computers on ARPANET.
Most of the stuff on
people aren't that smart. you think about all the wonders and achievements of human kind, but a trip to the DMV will bring you back down to earth
Capitalism. Gotta love it. Of course, this particular guy is frowned upon because he isn't a megacorporation doing it on much larger scales.
so the most important thing is to focus on stuff that really doesn't matter at all?
stuff that might matter; (which now includes avoiding; starving, drowning, burning up etc....); http://climaterealityproject.org/video/hour-24-new-york/
the hymenology council advises that there's more flappage contentions, causing the need for the neogods to attempt to re-write fake history, & science, yet again. the whore of babylon remains under the care of the council's counsel, as do the papers of challenge she carries.
can anyone guess the carbon footprint of just 8 simultaneous wars? you'd have to, because the mess we make is never included in the holycosters assessments of the glorious victories (for who?) always just within our grasp. see you on the other side of it?
disarm. read the teepeeleaks etchings, or watch the movie (unrepentant). be more careful of/for one another. for each of the creators' innocents harmed in any way....
always look for the real motives of the presenter, whomever it may be..... thanks again.
OK, so when are we going to hold Microsoft and other software makers for making insecure software? Nice DMV comment...so true. "Waddaya mean I need insurance to register my vehicle?!" Yes, I heard that once before...
"That's right...I said it."
90 is a handful now?
A better analogy would be someone using their car in a reasonable manner but crashing into the crowd because someone cut their brake lines.
What? You don't manually check your brake lines every time you drive? You don't even know where to look? But that's YOUR RESPONSIBILITY!
Do you count your knives each night to know no one has stolen them to stab someone?
Personal responsibility means taking reasonable steps to make sure you don't harm others. It doesn't mean becoming an expert in every single aspect of technology to make sure it is impossible for anyone to use your equipment to harm others. It's completely unreasonable to expect your average person to know enough about their computer to know whether it is being used for crime.
> In this case, the owners of those 25,000 compromised machines should be responsible for the 3.2 million
In fact, that's only 128 dollars per person, so is quite reasonable. It'll teach people that there ARE real world ramifications to their carelessness, but it isn't so much money that it would be a hardship for most people.
In a world where picture frames come preinstalled with malware, in a world where simply visiting the wrong website can infect you if Flash has an unpatched vulnerability, that's too simplistic.
I blame people for running Trojans, I blame people for not doing updates (but come on, what other industry would tolerate having a recall on the second Tuesday of every month), but this is still a world in which drive-by downloads are possible. I run Noscript, of course, but don't expect anyone else to live with the problems it causes.
Does that mean I didn't get accepted into the Diablo 3 pre-release beta then?
I have been practising with my CLICKCLICKCLICK finger for days.
I put my books on Amazon, Smashwords, Demonoid, ISOHunt and Pirate Bay. Search for 'Michael Cargill'
"Personal responsibility means taking reasonable steps to make sure you don't harm others"
Yes, and people DON'T DO THAT. I've seen people get spyware, right in front of my eyes. They absolutely do not take reasonable steps to avoid so doing. They'll cheerfully run ANYTHING. That is not a reasonable behavior, on what is fundamentally a Turing machine.
So yes, let's hold them responsible when they don't take reasonable steps towards safe computing.
Yes, the botnet operators also are responsible, but that doesn't mean the owners of the compromised systems are NOT. They are as well.
Sorry, but no. You may have 35 years under your belt, but my 80+ year old Mom doesn't, and the vast majority of mere users out there are a lot like her. When even highly educated users like doctors and lawyers are stupid around computers, how can you expect my Mom to do any better?
Case in point: she's on a Mac using Safari, and it drives her up the wall when the history pane doesn't show her favourite sites. I've told her that's not how it's supposed to be used and to use bookmarks instead. She wants to use the history window instead and can't understand why she shouldn't.
A friend of mine was using Windows and got it infected. I built him a Linux box and showed him how to use it. Problem solved? No, because he kept going back to using his infected Windows box, wondering why his ISP cut him off every time he used it (because his ISP determined his machine was infected).
I've seen just as stupid !@#$ from doctors and lawyers.
What you want is for your politicians to write a law that forces all computer users to get a driver's license before being allowed on the net, and that isn't going to happen since the vast majority of politicians are lawyers who're just as stupid around computers as is my Mom. For most users out there, computing is still magic to them and I doubt that's going to change anytime soon. They see no need and are quite capable of blaming something/anything else for their ignorance.
Besides, it'd be a lot simpler to force ISPs to police their users. They have the expertise and at least some are doing it already. What's wrong with the rest of them?
"Tongue tied and twisted, just an Earth bound misfit
If his profits reside in a single account (or many accounts?) all his... Couldn't this be used to potentially track him?
It's quite true. I can't blame users for shitty fucking plugins like Flash. They want to view online content, so are essentially forced to become part of an insecure ecosystem.
The world's burning. Moped Jesus spotted on I50. Details at 11.
You want to hold all the Linux contributors responsible too? Especially when the malware usually comes via user stupidity, not insecure software.
Neither malware nor viruses have existed for 35 years. Stop the revisionist history. And even if they had existed you're still using a really shitty metric. That would be like screaming at a new 16 year old driver after an accident because cars have been around, more or less for 135 years.
Oh get off your goddamn high horse. Just because you deem yourself an expert you think every one and their mom should know "common sense" things. Guess what? None of this shit was common sense 10 years ago. It's continually changing, and most people don't give a flying fuck about any of it as long as they can do what they need to do.
That's how the world works. You're a freak of nature. Accept that.
What are they being responsible for? Just running piece of software isn't illegal. Even FBI or whoever it was that cleaned one of the botnets gave computer owners the possibility to opt-out of it, in case they wanted to keep it on their computer.
I agree, to a point. But it is less simple than you've made it. As an AV industry employee, I get to see firsthand how infections spread. It's actually pretty amazing how much of it is spread by software or operating system vulnerabilities and software companies are slow to address even known vulnerabilities. That being said, it is also true that most people on the information superhighway are simply driving at 700 kmh while texting, eating a donut, and watching a porn video. Click OK or Next now and think about it later.
Why can't we go back to using jumpers to configure slot adapter cards? Why? I say!
A better analogy would be someone using their car in a reasonable manner but crashing into the crowd because someone cut their brake lines.
But the brakes in a car generally don't fail because someone put the wrong CD in or tuned to the wrong radio station.
Are you saying that Flash should be limited to Linux, BSD, OpenSolaris, and other operating systems with minimal protections? Better tell Adobe, because they always release new versions of Flash first for Windows. Does that imply Adobe is also complicit with the botmasters?
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Ok, I understand if you comprimise a PayPal account, you could transfer money to another Paypal account and withdraw. And that you can sell the information perhaps... But other than that, how can these people make money from a Botnet? Maybe could apply for credit card with person's info, but that seems slow. The article said what $17,000 a day. And as far as transferring money, seems risky, as someone had to setup the account transferred into.
If your solution is for people to be smarter then you might as well throw in the towel now.
I can blame the webmasters that insist on using flash and mandatory javascript (etc) even when it is unnecessary, ad peddlers that don't give two sh*ts about what goes throughout their network if the price is right, sites using a CMS for static content, that bet abandoned at some point, with the CMS getting taken over and serving exploit kit iframes for the next decade... etc... The issue at hand is that the current situation is caused by all involved parties not taking any responsibility whatsoever, it's neither the user, nor the companies, nor the websites, it's all of them.
Get off your high horse. A good friend of mine just a week ago had a search warrant served on him at 6AM and had basically everything with a power cord seized. He's been accused of running some bank scam, but there's absolutely no way this guy could have been involved. In all likelihood, either his computer was hacked, or someone was using his wireless. Either way, his life has been turned upside down.
Those of us who know about this stuff should be working to make technology secured by default, not blaming innocent average Joes for failing to take every security precaution possible.
I can blame the webmasters that insist on using flash and mandatory javascript (etc) even when it is unnecessary, ad peddlers that don't give two sh*ts about what goes throughout their network if the price is right, sites using a CMS for static content, that bet abandoned at some point, with the CMS getting taken over and serving exploit kit iframes for the next decade... etc... The issue at hand is that the current situation is caused by all involved parties not taking any responsibility whatsoever, it's neither the user, nor the companies, nor the websites, it's all of them.
+1 truth
I'm sick and tired of people who defend the unnecessary use of things like javascript by putting all of the blame for the accompanying reduction in security on the user.
The car analogy is that it is like demanding that people not wear seat-belts and when they get hurt in a wreck then blaming them for not having the latest air-bag system.
When information is power, privacy is freedom.
Funny, my father is 77, and has somehow managed to never get any malware since he started using computers in the 1990s (and not with any help from me - he does everything himself). Of course, he is willing to THINK, something that 99% of the population seems unwilling to do. Not incapable - they are perfectly able to if they want to. They just don't want to, and will make excuses after excuse for the others who don't want to either. So here we are, a culture of mass ignorance, a malware and spam filled world.
A lot of us are in the wrong business. The world is full of stupid people, and we could simply tell them to hand us money hand over fist.
Om, nomnomnom...
"A better analogy would be someone using their car in a reasonable manner but crashing into the crowd because someone cut their brake lines."
But running malware and trojans is not "using a computer in a reasonable manner".
A better analogy would be someone deciding to drive over metal spikes and then crashing into the crowd because their tires are shredded. Duh...
If your mom or your friend cannot operate a computer without getting it infected with malware and trojans, they are not qualified to be operating a computer and should not be doing it. Furthermore, if they choose to do it despite their incompetence, they should be held liable for whatever damages their use does to others.
"Is that the victims were generally NOT the people who allowed botnets to run on their computers."
Of course. There is no evolutionary pressure in the ecosystem to detoxify exploited computers. Bubba and Laqueefa don't give a fuck about internet security and WHY SHOULD THEY when there are negligible negative consequences?
I don't advocate any nonsense like government regulation to (not!) solve the problem.
It would be better done with destructive malware that disconnects infected PCs from the internet and does enough system damage to coerce a reinstall. No need to make personal files unreadable or data unrecoverable, just trash the OS.
There is NO ethical way to solve this problem, and there is no way to solve this problem without causing collateral damage.
Joe Dumbshit gets his porn appliance disconnected enough and gets tired of paying for reloads, and he will in some cases take action. Even if he replaces his PC with something more modern and, it is to be hoped, more secure, that's progress.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Anyone else think, oh wow, a new tech company is succeeding in a recession?
Give it time, give it time. The software retards will find a way to mess that up too.
"...there were a handful of victims in 90 other countries..."
A handful of victims in 90 countries? What were they victims of, dismemberment?
So you don't remember all the email virus that spread years ago simply by opening them because they were exploiting flaws in system software? Or how about the malware spreading by exploiting other system flaws? Yes, some is user stupidity by installing some random program or clicking through popups and going to (compromised sites that exploit system flaws) but not ALL of it is caused by the end user.
"That's right...I said it."
A better analogy is leaving your car running while you dash into the store. Which IS against the law in many places. Someone might hijack it and commit a crime. Now, I haven't looked, I don't think you'd be liable for that crime, but if they hit someone else with that car, your insurance is at the least going to drop your ass like the irresponsible assbag that you are.
Did anyone else read "Fraudster" and thought it was a new social network?
CDE open sourced! https://sourceforge.net/projects/cdesktopenv/
You should have started a company before you infected everyone with your nasty software.
It worked for sony. It can work for you too.
Is that the victims were generally NOT the people who allowed botnets to run on their computers. Because if they had been, maybe that would have been just punishment for harming the common good by allowing malware.
This is 2011. Personal computing has existed for, depending on just how you measure, about 35 years. I've been using them that whole time, and have NEVER, not once, had any form of malware. It just isn't that hard, and people have had 35 *years* to learn to not run shit. It's time we start holding people responsible for the results. In this case, the owners of those 25,000 compromised machines should be responsible for the 3.2 million that was lost. It should be their responsibility to pay it back.
If people drive carelessly and crash into a crowd of people, we hold them responsible. If an engineer designing a bridge is careless and the bridge falls down as a result, we hold them responsible. It's high time we start holding people responsible here as well. If you can't act responsibly, then you don't get to be on the public internet with everyone else, just like if you can't drive responsibly we eventually take away your license. You are still free to drive on your own private land, just like you're still free to use your computer on your own private network, but you don't get to use it where the rest of us are trying to be responsible citizens of the online community.
35 *years*. Time to fucking stop running malware. Yes, the botnet operators also are responsible, but that doesn't mean the owners of the compromised systems are NOT. They are as well.
BS. The bad guys are a lot smarter than you think they are. Exploit kits, iframes, obfuscated javascript, etc... they're EVERYWHERE now. Quit blaming the victim already.
U use this -> https://spyeyetracker.abuse.ch/monitor.php to add data 2 UR custom HOSTS file & firewalls (both software & hardware based ones, for redundant protection) to stop it from being able to work in the FIRST PLACE (by stalling communications with its C&C servers & more)...
That site's called SPYEYE TRACKER, & for GOOD REASON - it is a known reputable + reliable source for protective data vs. this threat.
APK
P.S.=> Enjoy... & you'd be surprised how many sources there are to protect yourselves from threats like this... I've repeatedly listed over 17++ or thereabouts here, many times (that's one of the better ones, vs. one of the worst threats (right up there with ZEUS imo))...
... apk
If it wasn't for the ubiquitous nature of Windows these guys would be making their malware of other OS.
Think of windows users as a giant honeypot.
"His botnet was able to compromise approximately 25,394 systems .. SpyEye was built specifically for Windows systems and Windows XP led the way, making up 57% of the compromised computers. Despite its improvements in security, there were nearly 4,500 compromised Windows 7 computers"
So you don't remember all the email virus that spread years ago simply by opening them because they were exploiting flaws in system software?
Yep, it was years ago. On that note UNIX and Linux used to have lots of worms that spread remotely too, and there's still lots of bugs and sometimes even remote exploits. Firefox and Chrome patch hundreds of bugs per year.
If software vendors were being held responsible for every bug that might have slipped through, what you think would happen? Open source contributors would stop contributing software, because they would risk losing their personal money in the process. On the other hand, Microsoft has the money. You would only kill open source development.
You're so awesome. I bet all your friends and family ask you when they have a computer problem. And I bet you scold them mercilessly for their stupidity, but it's all right - they let you away with it because you're so much fun the rest of the time. You can't help it if you're a fucking genius at computers.
Given that those 3.2 million that was lost most likely originated from some of the 25k compromised machines i'd say that those responsible got what they had coming for them. If a single mother living under minimum wage had her machine compromised, yet no assets stolen via or from her then why slap her with a $120 fine so that the few rich guys that are main targets don't have any incentive to fix their security holes.
People are only be held accountable for things that they or any reasonable person would beheld accountable. Corporate users are taught not to use their 'work' computer for personal use or not to go to unauthorized sites. This is mostly to keep the corporate internet connection from being the source of malicious applications. Some organizations go so far to teach or introduce users to information assurance as part of their right to access the internet. ISPs will continue allowing Darwin Award candidates access to the internet as long as they continue to pay for service. God help the USA when free internet gets here for every home. By free I mean, purchase by US tax dollars. ISPs should do their part in education the account holder on internet usage, or ISPs should be held responsible for the attacks that happen on or from their networks. I am not asking that they censor access, just education the user. That annual 'this-is-how-to-safely-use-the-internet' course would remove responsibility from the ISP on any incident.
what other industry would tolerate having a recall on the second Tuesday of every month
Personally, I think we'd be safer if Microsoft didn't create Patch Tuesdays, and actually released patches as soon as they have fixes, instead. It seems that Patch Tuesday in practice just exists to reduce how often Microsoft is seen to release patches. There's a claim that we need a certain date in the month for all sysadmins to know to look for updates, but that's silly. Sysadmins should always be checking for vulnerabilities, and if they really can't be bothered to do it more than once a month they can set their own calendar -- but make the fixes available immediately to the rest of us.
Get off my launchpad!
I agree with you, same as a car, you would not just start driving one because you can afford to buy one, you have to take courses and also pass tests.
Computers in society seem to common place and without accountability. A pilot has to be registered to fly a plane and go through screening....why can not the ISPs enforce such things as well.
This is where the problem lies, it is more so the ISPs responsibility also to know when an infected computer is within ITS network, and block it off indefinitely until the problem is resolved. If a judge can turn around and ban you from driving because of a DIU (act of stupidity) and decide not to let you access the roads until such time as he feels you have learned your lesson....so to should the ISP providers enforce actions that would keep you off the internet until such time as you can prove to them you are bug free....and this would be tested once you contacted them with information about being now secured, they would keep you under watch and block you again if you showed signs again of reinfection.
Some might argue that you pay for a service and should not be stopped from enjoying it (internet), but I do not agree....you pay for your insurance, car, license, and plates, yet a judge can under acts of stupidity (driving drunk) remove your privilege, yet you still own everything else and need to pay for it regardless....
Until we actually treat infected pcs as badly as we might someone having aids, we wont get anywhere...imagine if tomorrow everyone understood that an infected pc is like having aids yourself...no one would ever want to interact with you simply for fear of infection.....so treat it as bad as this to make the point get home.
I agree. We are on the same side :)
I should have made it more clear in my first post that I was being sarcastic to the OP. The AC claiming that we should go after the people who are installing malware and to go after them. Like you stating that not every little bug can be perceived, nor can every computer user realize what they are installing is NOT malware, which the AC claims they should know what they are installing. Then I was sarcastically stating then why not go one step further and go after the people who make the software... Not saying it is a good idea and yes, it would really only hurt the Open-Source market, which, IMO is the only market that is truly making a difference.
"That's right...I said it."
What about the stinking security people who release vulnerabilities knowing they haven't been fixed yet? Because boohoo they didn't get fixed as fast as they though they should have. I blame them more then i blame the criminals. There is enough blame to go to users but those who do know better are far more responsible for taking advantage of people. Stop blaming users that's a copout
Jack of all trades,master of none
Don't forget all the bug hunters/security people who released the vulnerabilities before it was fixed. They are more responsible then the criminals themselves in my book.
Jack of all trades,master of none
Yeah, and isimilarly, people have been dealing with money for thousands of years, but they still let themselves get mugged or burgled. With all that time to have become experts, they have only themselves to blame.
To have a right to do a thing is not at all the same as to be right in doing it
A better analogy would be someone deciding to drive over metal spikes and then crashing into the crowd because their tires are shredded. Duh...
The phrase "a better analogy" in English does not mean "a compltely fucking retarded compairon".
To have a right to do a thing is not at all the same as to be right in doing it
If your mom or your friend cannot operate a computer without getting it infected with malware and trojans, they are not qualified to be operating a computer and should not be doing it. Furthermore, if they choose to do it despite their incompetence, they should be held liable for whatever damages their use does to others.
Yes, because only people with Computer Science PhDs should be allowed to use computers, and ideally all computers would be giant mainframesi n universities or large corporations. All this giving computer and internet access to the masses is just plain wrong..
To have a right to do a thing is not at all the same as to be right in doing it
mod parent +1 funny for use of the term "informaion superhighway".
To have a right to do a thing is not at all the same as to be right in doing it
and there is no way to solve this problem without causing collateral damage.
Fuck me, it's Mr Internet Tough Guy on the rampage with military jargon off a cornflakes packet.
To have a right to do a thing is not at all the same as to be right in doing it
It would be better if Flash didn't automatically run every time your web browser encountered it. There is Flashblock, but most users don't know about it (and probably don't realise the security benefit of it).
Only browser I know that has that NATIVELY "built-in" (not done via 3rd party addons), AND, it does the same FOR ALL OTHER PLUGINS (+ javascript/cookies etc. also) via:
This CAN be implemented/turned-on in:
---
1.) Opera's GLOBAL preferences -> Tools menu, Preferences submenu, Advanced, Content, Enable Plugins/Enable Plugins only on demand
OR
2.) Opera's right-click on a website page "By Site Preferences" - imo this latter method's IS the easier & better/faster way!
---
(The latter IS the "superior method" (especially if you 1st GLOBALLY DISABLE all javascript/plugins/cookies (i.e. - things that can cause hassles security-wise), etc.-et al, first - then, enable things like plugins/javascript/cookies BY SITE as you need them ONLY!!!)).
APK
P.S.=> Opera's the ONLY browser that I know that has a "By Site" preferences option, which is GREAT FOR SECURITY and SPEED @ the same time really (by not loading things you do NOT need to be running "constantly" &/or for NO GOOD REASON, especially if you do NOT need to be using things))
AND?
Opera also has the TLS1.2 SSL encryption option, which is "proof" to the NEW "BEAST" javascript attack that's "taking out" MILLIONS of SSL sites -> http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/page2.html ... apk