Schneier on Security
A blog covering security and security technology.
« Researchers Hijack a Botnet |
| Fourth Movie-Plot Threat Contest Winner »
May 11, 2009
Zeus Trojan has Self-Destruct Option
From Brian Krebs at The Washington Post:
One of the scarier realities about malicious software is that these programs leave ultimate control over victim machines in the hands of the attacker, who could simply decide to order all of the infected machines to self-destruct. Most security experts will tell you that while this so-called "nuclear option" is an available feature in some malware, it is hardly ever used. Disabling infected systems is counterproductive for attackers, who generally focus on hoovering as much personal and financial data as they can from the PCs they control.
But try telling that to Roman Hüssy, a 21-year-old Swiss information technology expert, who last month witnessed a collection of more than 100,000 hacked Microsoft Windows systems tearing themselves apart at the command of their cyber criminal overlords.
This is bad. I see it as a sign that the botnet wars are heating up, and botnet designers would rather destroy their networks than have them fall into "enemy" hands.
Posted on May 11, 2009 at 12:25 PM
• 39 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
It appears that we (someone with the wherewithal to do so) can recognize members of a botnet. So, why don't we shut them down, or cut them off from access to their network, or just run their output into the bit bucket? Are those bots more important left alive? Are some of our government agencies running these botnets? Shut'm down!
> Self-Destruct Option
This phrase seemed to me to describe for the trojan self-destructing, disabling itself. Disabling the host computer would of course disable the zomibe. Does a mine (ocean or land) self-destruct?
Yeah, "self destruct" seems like badly chosen terminology.
It would be better to say that the malware includes a "nuke" option -- functionality which, if invoked, tries to wreck as much data as possible on the host machine.
This has a potentially positive effect, if it frightens owners of Windows machines into taking security precautions.
> why don't we shut them down, or cut them off
> from access to their network, or just run their
> output into the bit bucket? Are those bots more
> important left alive? Are some of our
> government agencies running these botnets?
> Shut'm down!
Oh, I think I know this one.
Owners of these computers are paying customers.
@ -ac- who asked, "Does a mine (ocean or land) self-destruct?"
Sometimes. From wikipedia.org: "Some types of modern mines are designed to self-destruct, or chemically render themselves inert after a period of weeks or months to reduce the likelihood of civilian casualties at the conflict's end."
I know for a fact that a large software company based in Redmond, WA monitors botnets and has the ability to just type 'unload' and get bots off of millions of infected PC's.
But, according to the lawyers, doing so is illegal. So their hands are tied and they have to just watch the bots work.
Well I would also see it as something to do in a botnet war if you found the machine run by a rival gang. Trigger its self-destruct...
The person will likely reinstall and you might not need to deal with the rival's software when you get to the machine again. Or if you are nihilist luddite then you are showing the world why technology is wrong.
Darn there goes a perfectly good movie... Hackers 2 Electric Vindaloo. A team of teenage hackers find that a group of nihilist luddites (eg greenies) have taken over various criminal botnets ready to destroy trillions of dollars of assets. Will the hackers stop the Greenies? Will they avoid the Russian criminal mobsters who think the teenagers are the reason the Ruskies have lost control? Will Bruce Schneier's cameo appearance as retired Kung Fu Hacker save this plot?
According to the article, ZEUS' README says:
"kos - incapacitate OS, namely grip branches HKEY_CURRENT_USER registry and / or HKEY_LOCAL_MACHINE. If you have sufficient privileges - fly to "blue screen", in other cases creates the brakes. Following these steps, loading OS will not be possible!"
What does this do? It seems to be messing with the registry, but does this really "nuke" the OS unrecoverably, as (say) a disk reformat of C: would? Would you really not be able to restore the system offline, using a boot disk?
"One of the scarier realities about malicious software is that these programs leave ultimate control over victim machines in the hands of the attacker, who could simply decide to order all of the infected machines to self-destruct."
Actually, that's the case for any machine running proprietary software. Hence foreign governments being eager to switch to free software, which they can inspect to see that it really makes their computers do what they want. And it's not even all theoretical, the Windows activation stuff for example is essentially a partial kill-switch.
Now of course there's a legal difference, but not much of a technical one.
are you saying that you can recover the machine by a simple install of a second instance of the OS...run a back up of the data, slick and reload the device and be back in business OR just run off the second instance?...Yeah I guess that would work. Seems a sort of an anoyance but nothing more fatal.
>I see it as a sign that the botnet wars are heating up
For some reason reason, now I just picture you as Yoda.
"Begun, the botnet wars have."
To be honest, I'm quite surprised this hasn't been more widespread already: with rootkits and disabling common AV products, trashing the host OS to cover their tracks seems an obvious step.
I had an infestation last week - not sure whether it was a botnet or regular malware - which disabled both regedit and some disk access (the Windows disk admin tool couldn't run, for example, and USB drives couldn't be mounted because enumeration was blocked). I'm not sure whether this was intentional or the result of a sloppy rootkit corrupting driver structures.
Of course, just trashing the HDD contents is one thing; what will be interesting is the first to corrupt the system BIOS and/or drive firmware. Some already have 'watchdog' code which reverses partially successful cleaning attempts; having an additional chunk of code which disables the system after a "successful" cleanup makes sense, and could get a lot of users very, very unhappy with their AV vendors...
And what exactly is bad about a bot-infected system or a whole net of those systems going offline? Well, the for-quite-a-while-not-anymore-owner of the system loses his or her data - unless backuped -, but maybe they learn something from it.
@ Ben Rosengart,
"This has a potentially positive effect, if it frightens owners of Windows machines into taking security precautions."
First is :- to the average joe if their machine blows up or dies in some way then either it's a warenty repair or down to "numb-nts-R-us" PC-Droid vendor support. where they get told "Oh my god the world has fallen in" and we can recover your data for X (where X is 0.5-0.8 of what the machine would cost to replace).
So off to the skip it goes 3 out of 5 times (or it's Internet equivalent E-Bay).
Secondly :- The machines almost certainly had a "60 day" free-trial anti-malware etc on them when sold, so what is the how and the why of the malware geting in...
Which brings us around to a very very touchy subject which is only going to get worse with time.
Both Microsoft and the anti-malware vendors are guilty of hogging a huge amount of Internet bandwidth.
Further folks just don't trust them, or want to wait two hours just to place an order with "FoodCo's on line" etc. whilst their "rules" are being updated or patched or whatever the vendor likes to call it.
Further some anti-X vendors are trully hopless more than one major vendor has no effective way for a system owner to "back out" the patches and updates or remove the software and leave the machine in a sane and safe state.
You "reap what you sow" and in the case of MS and the Anti-X vendors I feal the E is in the wrong place...
But this misses the point which is,
Most clever malware attacks are going to be out there and into a whole bunch of systems before the likes of MS and the anti-X vendors are even aware of it. Therefore even diligent system owners are going to get botted before the updates are available and downloaded on their machines.
The only sensible course of action for individuals would be to use a machine that cannot be "owned" which although practicaly possible is logicaly impossible (if you think about it). Therefore the next best is a system that once turned off loses everything downloaded to it.
Why ride a train you know is going to crash sometime when you can simply get of and go another way?
Of course there is another way to slow the spread of these things down but you would need to co-opt all ISP's etc which is to block access (by whatever method) to the control network.
But this will just perpetuate the arms race and as we now know the malware people are always going to win...
@-ac-: Seabed moored mines (those big metal balloons with spikes sticking out, like you see in war movies) back well prior to WWII were SUPPOSED to be designed to disarm themselves if they broke free from their moorings. That way if they break loose and float out of the combatant area they would not harm neutral shipping. So if you can see one on the surface, it should be inert.
Of course, these are the same international agreements that prohibit poison gas, abuse of prisoners, killing civilians, nuclear proliferation etc; so act accordingly if you see your ship heading towards one.
@Stephen Smoogen: The person will likely reinstall...
Is it still true that the reinstall process is likely to produce a gap in security, in between when the machine is up and running on the net, and a bit later, when all the patches and security settings are complete?
I was thinking that initiating self-destruct even on a competing botnet would be a bad move, since there would be a good chance the owners would become more security-conscious, and the machines might be lost to future botnets altogether, but it's possible that if you could gain enough control to trigger a delete/reinstall cycle on the computer with a known IP address, it could be a way of compromising a foreign botnet's computer for your own use.
Is that for real?
Surely a large software company based in Redmond, WA would have the wherewithal to lobby/encourage a change in the law to accommodate such a noble gesture...
The assumption here is that the zombie computer is more useful to its owner than no computer at all. is is however less useful to the internet as a whole
I wonder why nuking a victims system is not more usual. I would expect that after an attacker collected a victim's valuable data as accounts etc., paralysing the victim would have quite some advantages.
* first the victim cannot react online - let's say for checking accounts.
* second, if only parts of the system were destroyed , the victim will probably reinstall the system without suspecting an attack (i.e. the usual windows crash... ;) ). And reinstalling a new system would certainly cover some tracks left by an attacker.
Of course, if somebody is interested in running a bot net of zombies, that is something else than plundering...
@Thomas - I'm no Wintel expert, but the logs left on a Windows machine are minimal to start with. It would presumably be easier to clear out the Event Log via the API, than to be certain of trashing the entire hard disk.
Even with *nix, "dd if=/dev/zero of=/dev/rdsk/c0t0d0s0" type commands can fall over part way through due to their own destructiveness. Hmm; install a bootloader to trash the HDD on subsequent reboot would be pretty robust...
What I want to know is why the anti-virus software doesn't warn you in big bold letters that "your trial period has expired, if you want to remain protected from viruses, click here" (with the link going to the on-line store to unlock the full version)
@P: I really don't believe you, generally because if that were true, why wouldn't they just release a Windows update (even to non-genuine copies) that would disable the bots, then get it posted in the news, websites etc.? Legal and effective!
The only point of a botnet's owner 'nuking' it would be to deny someone else the pleasure of using it, or to practically distance themselves from it (setting fire to the evidence I guess).
People commonly realise they have viruses because their computer's wholly or partially crippled. Case in point: the strain of Virtumonde that screwed up userinit, stopping people from logging into Windows. A well-written virus has zero visible impact on the computer it's infected, or people wonder what's up.
@Marq: FYI, nongenuine copies of Windows do still get "critical" (read: security) updates through Windows Updates. It's extra software/driver updates you don't get without paying for Windows.
@Jonathan Wilson: Antivirus products do scream at you to renew them, but people ignore it completely unless you've educated them about it. I still get computers at work with Norton AV 2005 that expired in 2006...
@Thomas: The first thing that usually alerts people that they've been scammed is their bank balance is out of whack. Killing people's Windows installs willy-nilly would just suggest to them something might be wrong - the longer a compromised machine stays unnoticed, the longer it could supply new CC details etc.
On the other hand trojan networks that are doing real damage (like wiping computers clean) is really good idea.
Without those no-one really cares. We will *not* have secure operating systems or anything better than current Windows until majority of consumers wants it. And if something like millions of computers will be wiped clean by malware - that should be prevented by better security mechanisms on OS side - consumers may wake up and demand better response for their money.
@P: Microsoft already distributes its "Malicious Software Removal Tool" and people cheerfully run it, trusting MS's judgement about what is or is not malware. I don't see any legal reason why this couldn't be used to deactivate a known botnet.
I have a friend that does exactly what you say. He runs Knoppix off of a CD, no HDD in his machine, just an USB for personalization (if he is still even using that). A little less user friendly for him but very safe.
@pfogg: "Is it still true that the reinstall process is likely to produce a gap in security, in between when the machine is up and running on the net, and a bit later, when all the patches and security settings are complete?"
The Windows Firewall is activated by default since XP SP2 (or even SP1?) so if you install from a CD with this SP included, you should be rather safe. Same goes if you connect from behind a NAT box.
Of course, your first web browsing should be directly to the Windows update site to apply all available patches before actively doing anything else with the system.
I can't help but feel that the WaPo article is just a pretense for the reporter to publish the words "cyber criminal overlords".
The Zeus toolkit has another interesting trait for crimeware: a EULA.
The 'kos' command may also serve as a reminder to the Zeus users that the botnets they create might be vulnerable to being "kiled" if they tick off the Zeus makers.
@ uk visa lawyer
Like the enormous sucess they had at defeating the anti-trust legislation?
I for one salute our new cyber criminal overlords
By "behind a NAT box" I hope you mean "behind a properly configured firewall".
NAT is not security and its not a firewall. I know people think it is, but is dam easy to tunnel/hole punch through a NAT layer.
NAT is a band aid to fix IP4 inadequacies and makes the like of IPsec or other things hard to do properly.
"I have a friend that does exactly what you say. He runs Knoppix off of a CD, no HDD in his machine, just an USB for personalization (if he is still even using that). A little less user friendly for him but very safe."
Knoppix is fairly easy to do but a little hard on some windows users.
There are toolkits that will enable you to build a DVD/CD run version of your XP etc windows box with some of the applications. Easier on the user somewhat harder (change that to a lot harder ;) on the person making the CD/DVD.
There are now laptops etc with a striped down version of Linux etc that will run before you go to the hard disk to load windows. The main purpose is for a quick boot for simple web browsing. A small change to protect the HD even more and "bobs your uncle" 8)
However I'll wait to see what MS has offered in Windoze 7 just incase they have finally put their OS house in order, then of course there is all the apps...
Ok, I'll bite: How do I punch a hole through a NAT box from the outside (internet) to inside (one of my boxes). Say on port 22.
It's easy to punch a hole from the inside. That's the entire point of NAT. But from the outside?
" Microsoft already distributes its "Malicious Software Removal Tool" and people cheerfully run it, trusting MS's judgement about what is or is not malware. I don't see any legal reason why this couldn't be used to deactivate a known botnet.
The MSRT and patches only go to those who have agreed to download/run them. I'm guessing most botnet infected machines don't auto-apply patches, and MSFT can't legally over-rule other owner of the machine's previous selection... And even if the machine originally auto-applied patches, the malware certainly disables that, and they can't distinguish between malware-disable patching and actual user's changing their settings not to auto-update.
In a way, this is a good thing.
It's bad for the affected users, of course, but it's ultimately self-defeating for botnet creators. If botnets have a tendency to explode catastrophically, the cause becomes rather public.
As it is right now, you might have a 100,000 hosts in a botnet, but those 100,000 users think of themselves as individuals with an individual problem when they discover that their machine is hacked. They fix it and move on.
If a 1,000,000 host botnet spontaneously eats its own brain, those 1,000,000 users will all be affected at once, which is going to bring the scale of the problem immediately to light in the minds of the general public.
Instead of it being "my problem" in the mind of the affected user, it's "our problem" in the mind of the affected user community.
'Instead of it being "my problem" in the mind of the affected user, it's "our problem" in the mind of the affected user community.'
And thereby starts a problem.
The result almost certainly will be legislation but of what form?
I suspect it will be "Cyber terrorism" whereby the likes of MS etc are let of the hook and drakonian sentancing will be abused by the likes of the RIAA etc to put young fairly inofensive individuals away untill they are to old to be parents.
The real cyber criminals will in all likelyhood are in some other juresdiction will slip away quietly under the radar to carry out some new method of making money out of happless individuals and their PCs.
@Paeniteo: The Windows firewall is utter useless. It does not block any traffic untill you press the deny button, at which point most of the fun stuff has already left your computer. Also, it never ever asked to let through Opera or certain games on my own PC.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.