From: David Perry (MKT-US)
Sent: Wednesday, August 04, 2010 10:22:00 PM
Subject: ::NEWSBANK:: Botnet that pwned 100,000 UK PCs taken out
Auto forwarded by a Rule
Botnet that pwned 100,000 UK PCs taken out
Researchers crowbar entry into cybercrime server
By John Leyden
Posted in ID, 4th August 2010 11:29 GMT
Security researchers have uncovered the command and control network of a Zeus 2 botnet sub-system targeted at UK surfers that controlled an estimated 100,000 computers.
Cybercrooks based in eastern Europe used a variant of the Zeus 2 cybercrime toolkit to harvest personal data - including bank log-ins, credit and debit card numbers, bank statements, browser cookies, client side certificates, and log-in information for email accounts and social networks - from compromised Windows systems.
Trusteer researchers identified the botnet's drop servers and command and control centre before using reverse engineering to gain access its back-end database and user interface. A log of IP addresses used to access the system, presumably by the cybercrooks that controlled it, was passed by Trusteer onto the Metropolitan Police.
Trusteer declined to point the finger as to the locations of the Zeus botmaster controlling the systems, beyond saying that compromised systems were controlled from eastern Europe.
"The cybercrime servers were hidden but the hackers were not using a lot of security, so it was possible to find a way into the database," Mickey Boodaei, Trusteer's chief exec told El Reg.
The original attack was probably seeded by a combination of infected email attachments and drive-by downloads, according to Amit Klein, Trusteer's chief technology officer.
The Windows-based malware used to control zombie clients was a variant of the infamous Zeus cybercrime toolkit, a customisable Trojan keylogger and botnet-control client sold through underground forums that's become the sawn-off shotgun of the cybercrime economy over recent years.
"There are some significant changes between Zeus 1.x and Zeus 2.0: Zeus 2.0 installs differently, better adapted to newer Windows operating systems (Vista, 7). Additionally, Zeus 2.0 has built-in support for Firefox," Klein explained.
"There are Zeus binaries out there for few months already with version number 2.0.x.y. We do not control Zeus's version numbers - it's the Zeus writers who do that," he added.
Trusteer says the attack is an example of the growing trend of regionalised malware.
- Botnet with 60GB of stolen data cracked wide open (2 August 2010)
- Zeus bot latches onto Windows shortcut security hole (27 July 2010)
- Zeus baddies unleash nasty new bank Trojan (13 July 2010)
- Regional banking Trojans sneak past security defences (1 July 2010)
- Exclusive Cybercrime police's budget slashed by 30% (11 June 2010)
- Computer forensics tool for banks aims to trace Trojans (16 March 2010)
- Trojan armed with hardware-based anti-piracy control (12 March 2010)
- World's nastiest trojan fools AV software (18 September 2009)
Building Botnets For Fun And Profit
Creating a botnet business can be lucrative -- and isn't as hard as you might think, Black Hat speaker says
By Tim Wilson
Aug 03, 2010
LAS VEGAS, NEVADA -- Black Hat USA 2010 -- If you're thinking about a life of cybercrime, building a botnet might be the best place to start, a security researcher said here last week.
Gunter Ollmann, vice president of research at Damballa, gave a talk on the business of building botnets, aptly titled, "Becoming The Six Million-Dollar Man." The presentation was a step-by-step description of the technical and business processes required to become a botnet operator.
"Building botnets is not as scary or difficult as you might think," Ollmann said. "You don't need to be a hardcore criminal. There are tools, guides, vendors, and sponsors readily available. It's a business just like any other -- just don't get caught."
Like any business, botnet operations usually starts with a business plan, Ollmann said. Many operators start by targeting a specific group of victims or data sets that they think will be valuable, and have some idea of the costs and revenues they can expect. "If it's done right, there's a good potential of earning as much as $6 million within a year," he said.
Most criminals start off with an off-the-shelf botnet kit, such as Zeus or Butterfly, and begin seeding open environments such as Bit Torrents and newsgroups. They use Dynamic DNS for command and control, and multiple command-and-control servers, making themselves harder to track.
"The first botnet is usually a proof of concept, rather than a production network," Ollmann said. "You're validating principles and doing testing." Once the operator has established the initial botnet, he or she can begin to build a reputation and trust, which will make it easier to build and sell services on future botnets, he said.
But most botnet operators are eventually caught because of mistakes they make in these early phases, Ollmann said. "They almost always make mistakes while they're learning," he said. "They use an alias that they've used before, or they use a credit card that can be traced back to them. The Mariposa operators were caught because one of them dialed in from his home IP address. Mistakes at the beginning can be fatal."
Many successful botnet operators actually operate more than one botnet, Ollmann said. "There's a common myth that there's one botnet per botmaster," he said. "But smart operators don't want to lose everything on one go, so they've got more than one going."
Smart operators also vary their campaigns -- they may target different groups of victims, build around different themes, or carry out different attacks, Ollmann said. Some botnets might be used to deliver malware, while others are simple spam delivery services.
"They may conduct a series of overlapping build campaigns," Ollmann said. "With a target of 25,000 victims a week, they may bring in $1,000 to $5,000 a week."
Ollmann's company, Damballa, detects around 30 to 100 new botnet operators every week. "There's no barrier to entry," he said. And although industry researchers often focus on the largest botnets, the most successful operators are those who keep their networks small, so as not to attract too much attention.
"The noisier they are, the more likely they are to be detected," Ollmann said. "That's not what the criminal wants." In fact, small botnets that target specific companies or specific groups of users -- such as wealthy executives -- may sometimes be more lucrative than much larger botnets."
Botnet operators are becoming an important part of the cybercrime infrastructure, and there is a growing demand for their services which makes it an attractive entry point for new players, Ollmann said.
"You don't need a lot of technical knowledge, and you don't need to be a hardened criminal," Ollmann said. "You can get started with kits and services that are readily available on the Internet. It's not hard to get started."