Point & Click Malware

February 25, 2010

About a week ago, I wrote about a newly-discovered botnet attack that had compromised something like 75,000 computers in 2500 organizations.  That attack was carried out using a variant of the “Zeus” malware package, and was notable for its sophistication, and for its focus on stealing banking and login credentials.

The attacks themselves, and the people that initially craft them, have become much more sophisticated over the years.  As always, there is an “arms race” between the attackers and the security folks responsible for protecting the target systems.  But the people who actually launch the attacks don’t have to be all that sophisticated.  Now, according to an article in Technology Review, the necessary software to mount a very sophisticated attack has been packaged as a product available over the Internet.

In 2005, a Russian hacker group known as UpLevel developed Zeus, a point-and-click program for creating and controlling a network of compromised computer systems, also known as a botnet. Five years of development later, the latest version of this software, which can be downloaded for free and requires very little technical skill to operate, is one of the most popular botnet platforms for spammers, fraudsters, and people who deal in stolen personal information.

The developers of this malicious software are becoming just as good at packaging and marketing it as the legitimate software vendors.  The Zeus platform now supports “plug-ins” and “extensions”, just like, say, Firefox.  Some of these add-ons are “exploit packs”, which contain code to exploit vulnerabilities in particular operating systems or applications.   There is, apparently, a wide variety of add-ons available:

Some add-ons focus on phishing attacks–delivering the images and Web pages needed to create fraudulent banking sites, for example. Other add-ons give bot operators the tools to create spam campaigns.

Want to steal credit card numbers or bank login info?  There’s probably an app for that.  The platform kits also include tools to help obfuscate the contents of the finished malware package, making it less susceptible to detection by anti-virus and anti-spyware programs.

The net result of all this is that now, even technically inept crooks can easily obtain fairly sophisticated attack tools; and, at this point, the Bad Guys are winning the arms race.  In addition to using anti-malware tools and firewalls to protect systems, it is also a good idea to carefully monitor the traffic on your network.  (This requires, of course, that you have a pretty good idea of what normal traffic looks like.)   Identifying the command-and-control traffic between compromised machines and the botnet “controllers” is often the best way to track down an infection.


%d bloggers like this: