{"id":565,"date":"2009-05-09T16:26:15","date_gmt":"2009-05-09T20:26:15","guid":{"rendered":"http:\/\/rbachnet.wwwmi3-ss40.a2hosted.com\/?p=565"},"modified":"2022-12-30T12:11:35","modified_gmt":"2022-12-30T17:11:35","slug":"lessons-from-botnet-demise","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/lessons-from-botnet-demise\/","title":{"rendered":"Lessons From Botnet Demise"},"content":{"rendered":"

\"Lessons<\/a>Brian Krebs on the Washington Post<\/a><\/em> blog Security Fix<\/a> profiled a case where a bot-herder<\/a> killed 100,000 zombie clients<\/a> in his botnet<\/a>. The bot-herder implemented a “kill operating system” or kos command resident in the Zeus bot-net crimeware. The kos command caused the infected PCs to Blue Screen of Death<\/a> (BSOD). The Madrid-based security services firm S21sec reports that invoking the kos command only results in a blue screen and subsequent difficulty booting the OS. There appears to be no significant data loss and neither the Trojan binaries nor the start-up registries are removed, In this post, they look at what happens to an infected computer when it receives a Zeus kos.<\/p>\n

Russian botnet<\/h3>\n

The Zeus crimeware was designed by the Russian A-Z<\/a> to harvest financial and personal data from PCs with a Trojan. UK Computer security firm Prevx<\/a> found the Zeus crimeware available for just $4,000. The fee includes a DIY “exe builder” which incorporates a kernel-level rootkit. According to the Prevx<\/a> this means it can hide from even the most advanced home or corporate security software. RSA detailed the capabilities of Zeus crimeware in 2008. Zeus also includes advanced “form injection capabilities” that allows it to change web pages displayed by websites as they are served on the user’s PC. For example, criminals can add an extra field or fields to a banking website asking for credit card numbers, social security numbers, etc. The bogus field makes it look like the bank is asking you for this data after you have logged on and you believe you are securely connected to your bank.<\/p>\n

rb-<\/em><\/strong><\/p>\n

The reason for BSODing 100,000 machines isn’t quite clear. Several security experts have offered up their opinions including S21sec and Zeustracker (currently down due to an apparent DDOS). What is clear are the implications of this action.<\/em><\/p>\n

Botnets and their related crimeware are dangerous for more and more reasons. They can steal massive amounts of personal data. They can launch denial-of-service attacks and they can execute code. I agree with Krebs that the scarier reality about malicious software is that these programs leave ultimate control over victim machines in the hands of the attacker.<\/em><\/p>\n

Politically motivated attackers<\/em><\/h3>\n

For the time being, it is still in the best interests of the attackers to leave the compromised systems in place. They can plunder more information. However, imagine the social chaos created if <\/em>9 million<\/a> PCs infected with <\/em>Conflicker<\/a> including hospitals from Utah<\/a> to the UK<\/a> were under the control of Al-Queda or other similarly minded groups. These politically motivated attackers could order all the infected machines to BSOD, creating computer-enhanced chaos. One of the forgotten lessons of 9-11 is that our technology can be hi-jacked and turned against us.\u00a0 This could be the opening into a new type of cyber warfare.<\/em><\/p>\n

 <\/p>\n

Ralph Bach<\/a>\u00a0has been in IT long enough to know better and has blogged from his\u00a0Bach Seat<\/a> about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn<\/a>,\u00a0Facebook<\/a>,\u00a0and\u00a0Twitter<\/a>. Email the Bach Seat\u00a0here<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Brian Krebs profiled a case where a bot-herder killed or kos command resident in the Zeus botnet crimeware that made the infected PC’s BSOD<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[3216,58,761,605,768,2920,23,2835,4,127],"class_list":["post-565","post","type-post","status-publish","format-standard","hentry","category-security","tag-3216","tag-botnet","tag-brian-krebs","tag-cyberwarfare","tag-denial-of-service-attack","tag-dos","tag-malware","tag-russia","tag-security","tag-zeus"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/565","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/comments?post=565"}],"version-history":[{"count":6,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/565\/revisions"}],"predecessor-version":[{"id":132759,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/565\/revisions\/132759"}],"wp:attachment":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/media?parent=565"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/categories?post=565"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/tags?post=565"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}