..which platforms are this kit available for?
OSX? Windows? Linux? *BSD? *Solaris? Some combination of the above?
With Zeus crimeware infections reaching epidemic levels, two-factor authentication under fire, and the actual DIY (do-it-yourself) kit becoming more sophisticated, it’s time to reassess the situation by discussing the current and emerging crimeware trends.
What’s the current state of the crimeware threat? Just how vibrant is the underground marketplace when it comes to crimeware? What are ISPs doing, and should ISPs be doing to solve the problem? Does taking down a cybercrime-friendly ISP has any long term effect?
I asked Thorsten Holz, researcher at Vienna University of Technology, whose team not only participated in the recent takedown of the Waledac botnet, but released an interesting paper earlier this year, summarizing their findings based on 33GB of crimeware data obtained from active campaigns.
Go through the Q&A.
Dancho: Were you surprised that you were able to extract the data from the crimeware dropzones, so easily? Given the quality assurance practices that these people often put into their campaigns, it’s logical to assume that they’ve taken basic precautions on the server/kit level.
Are cybercriminals taking the operational security of their campaigns seriously?
Thorsten: Actually I was rather surprised that we found so many open dropzones, it seems like the attackers do not follow security best practices. Especially earlier versions of Nethell had very often an open directory where all log files could be found by simply browsing to the correct URL. For ZeuS, we found only a handful of open dropzones, it seems like the attackers using that toolkit have more clue about what they are doing. Unfortunately, this has changed in the recent months: by now, most dropzones are configured correctly by default and thus it is not common anymore to find open dropzones.
Dancho: Considering the fact that security researchers are clearly capable of extracting campaign data, it’s fairly logical to assume that cybercriminals are also peeking into each other’s botnets, Zeus in particular.
Do you agree or disagree?
Thorsten: Yes, that definitely makes sense. Presumably an attacker can also use other methods to access a dropzone from another attacker: an attacker could exploit vulnerabilities in the dropzone’s web app (e.g., SQL injection, default passwords, open MySQL access etc.), something that we could not do as part of our research. There have been some reports about vulnerabilities in dropzone kits, and I am sure that one could find other ways to access a dropzone.
Dancho: With Zeus clearly reaching a monocultural stage within the cybercrime marketplace, a remotely exploitable flaw within the kit’s web interface could trigger an effect often seen from a white hat’s perspective. In fact, there have been cases of cybercriminals hijacking one another’s Zeus botnet due to insecurely configured web servers.
Do you believe these are isolated incidents, or a logical development in the long term, which could contribute to the rise of underground turf wars?
Thorsten: I think that this is a logical development: If I would be an attacker, it would be way easier to simply exploit other dropzones than doing all the hard work on my own (buying the kit, hosting it, exploiting machines etc.). And with tools such as ZeuS Tracker I could also easily find other dropzones and perform my attack on a larger scale.
- Go through related posts on the Zeus crimeware: Zeus Crimeware as a Service Going Mainstream; Modified Zeus Crimeware Kit Comes With Built-in MP3 Player; Zeus Crimeware Kit Gets a Carding Layout; The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw; Help! Someone Hijacked my 100k+ Zeus Botnet!; Inside a Zeus Crimeware Developer’s To-Do List
Dancho: Since not every cybercriminal is willing to invest money into purchasing the very latest Zeus release, hundreds of them continue using old releases while continuing to update the “Web Injections” list.
A few months ago, based on an observation of ongoing discussions on the topic, I became aware of the fact that certain cybercriminals are in fact attempting to use the ZeusTracker to build hit list of potentially exploitable targets.
A trend, a fad, or someone’s basically scratching the surface here?
Thorsten: I see this as a trend: since the information is freely available, it makes sense from an attacker’s point of view to take advantage of it. Presumably it requires only some coding effort to crawl ZeuS Tracker, extract the info about the dropzone, and then probe it for open access or vulnerabilities.
Managed crimeware services, or raw crimeware logs as a service? –>
