Category Archives: Bad guys always lose

D(NS) Day – Nobody home?

The DNSChanger malware modified the local DNS settings of an infected PC. This meant that criminals could assume control over the DNS resolution of the victim computer, effectively redirecting it to any destination of their choice, rather than the bank or search engine the user originally intended to visit (for example).
This ability was used primarily for click fraud by the Esthosts gang, redirecting searches and sites, to generate revenue by defrauding advertisers and advertising networks.
PCs which are still infected by the malware, or whose settings have not been corrected, even after the infection was cleaned up, are still querying those criminal servers. The FBI have been operating those servers since the warrant was executed, but their right to do so has now expired and the servers will be shut down. Meaning that any queries from those 300,000 computers will fall on deaf ears and to all intents and purposes, the web will go dark for the affected users
At the time when Trend Micro co-operated with the FBI in bringing the Esthosts gang to justice, we believed about 4 million PCs to be affected. This number has since dropped to about 300,000 and this should be considered a success. However with the definitive shut-off of the criminal DNS servers today, those 300,000 people face a potential total loss of web access.
If you’re reading this, you’re ok, but if your neighbour comes to your door asking who broke the Internet, now’s your chance to play knight in shining armour. And if you work on an ISP help desk… May the force be with you!

Image Credit: Camera Eye Photography

Don’t be dumb, keep schtumm!

This quote “The sweep was part of a civil suit brought by Microsoft in its increasingly aggressive campaign to take the lead in combating such crimes, rather than waiting for law enforcement agencies to act” from this article is what motivated me to tweet “Opening civil proceedings “without waiting for law enforcement”, against 39 John Does and citing their online handles is a very dumb idea.”
The security industry and research organisations should work with law enforcement, not against it. All 39 of the online handles mentioned in the court submission (covered in my blog yesterday) are now fully aware that they are under active investigation and have the chance to “disappear”, probably to resurface elsewhere and carry on business as usual.
It is disturbingly similar to how the identities of the Koobface gang were exposed without waiting for due legal process, even though the intelligence behind this “exposé” was mostly generated in an industry group working with law enforcement towards an eventual prosecution. Once the information is published, without waiting for due legal process the criminals have a chance to go to ground.
Again in the Microsoft civil suit example, there is a reliance on information that was shared within working groups. The normal model is to collaborate across industry and come up with a shared result in terms of law enforcement. Marketing actions like this very much break that model.
The successful dismantling of the Esthost botnet with the arrest of the criminals involved is a true model of how the security industry and law enforcement can and should work together to better secure the internet and internet users. That investigation was 6 years in the making and led to the arrest of an entire crime ring and the dismantling of their infrastructure.
Long term law enforcement success should not be sacrificed on the altar of marketing initiatives.

Beginning of the end for ZeuS/SpyEye?

Bortusk Criminal Swag by bixentro

used by persmission from bixentro's Flickr photostream

In a court submission that runs to 162 pages, Microsoft and the Information Sharing and Analysis Center (FS-ISAC), a trade group representing 4,400 financial institutions, and NACHA, the Electronic Payments Association, are pursuing the criminals they believe to be behind the ZeuS, SpyEye and Ice IX botnets
The codebase behind ZeuS, Ice-IX and SpyEye has a long and infamous history in internet crime, ZeuS has been around since 2006 (2007 is specified in the court submission) and is responsible for hundreds of individual botnets stealing millions of pounds from consumer and business bank accounts. SpyEye was originally set up as a competitor to ZeuS and even went as far as to remove ZeuS if it found it on a computer that SpyEye was trying to infect. More recently the two code bases have been merged into a single piece of crimeware.
The court submission from Microsoft, while it openly states that the identities of the “John Does” are currently unknown, does go a long way towards exposing the huge infrastructure behind crimeware of this nature. It specifies, three individuals identified as the original ZeuS, SpyEye and Ice-IX coders and two further code developers, two PDF and Flash exploit vendors responsible for creating malicious files that drop the bot onto your PC, three web-inject vendors who create the scripts that inject fake content into legitimate banking web sites, four individual botnet hosters and fifteen individual botnet operators, seven money mule recruiters, three specialists in cashing out stolen funds and one individual responsible for handling “incoming notifications of newly compromised victims”.
The court submission identifies malicious network infrastructure that spans the globe, from North America through the UK and Germany via Iran, Hong Kong and even Laos all the way to Australia. A total of 3357 domain names across 35 registrars have been identified as being related to what they are collectively calling “the ZeuS botnets”, with 1703 of those domains registered with Verisign. In raids on two hosting locations on March 23rd servers were seized leading to disruption of botnets and criminal activities. However, as Microsoft notes, this enforcement action only closed down two IP addresses and secured 800 monitored domains (from 3357), so the immediate effect can be expected to be minimal.
Of course, cybercrime is bigger than just 39 people and currently no specific individuals have been identified, but if nothing else, this indictment serves as a graphic illustration of the maturity of the criminal business model. Criminals such as Slavik and gribodemon have successfully evaded justice for many years, but let’s hope that this continued focus and international cooperation across the security and law enforcement communities can eventually make a significant dent in their illegal operations.
The ZeuS Tracker project, which lists Command & Control servers around the world is today listing 806 ZeuS and Ice IX servers, 343 of which are currently online and active. SpyEye Tracker lists 487 servers globally, of which 16 are currently active.