Sophos Cloud Optix![Microsoft and US Marshals bring down Zeus botnet servers [VIDEO]](https://nakedsecurity.sophos.com/wp-content/uploads/sites/2/2012/03/microsoft-zeus-thumb.jpg?w=250&h=250&crop=1)
Microsoft, working with others in the financial services and computer security industry, has disrupted a number of botnets being used by the Zeus malware family.
The company claims that botnets using ZeuS, SpyEye and Ice-IX variants of the ZeuS family of malware are responsible for nearly half a billion dollars in damages.
Office buildings in Illinois and Pennsylvania were raided by US Marshals, accompanied by Microsoft investigators, on Friday, and web servers being used by cybercriminals deactivated. The seized computers will be examined to see if they reveal further information about who might be behind the criminal campaign. At the same time, the firm seized control of hundreds of web domains being used for malevolent purposes.
Microsoft’s Digital Crimes Unit even put together a natty video, giving a little colour to the operation:
Of course, Microsoft has a big interest in making the internet a safer place. Most malware, for instance, targets Windows rather than Mac users – and the last thing Microsoft wants is for the prevalence of malware to be a reason for people to purchase their next computer from Apple instead.
Frankly, I don’t care if Microsoft doesn’t have entirely altruistic motivation for bringing down the bad guys – I’m just glad that they are actively pursuing those responsible for organised cybercrime, and trying to make the internet safer.
So far, SophosLabs hasn’t seen any evidence of significant disruption to Zeus’s activities through Microsoft’s action. Because Zeus and SpyEye are sold as kits any takedown against specific botnets will not affect all the other botnets which are still out there.
Since the kits are still available (freely in source form in the case of Zeus) it is highly likely that we will continue to see botnets created using them.
Microsoft and the National Automated Clearing House Association has filed an action against almost 40 as-yet-unnamed “John Does” in connection with the investigation. So far all that has been made public are the suspects’ aliases:
Slavik, Monstr, IOO, Nu11, nvidiag, zebra7753, lexa_Mef, gss, iceIX, Harderman, Gribodemon, Aqua, aquaSecond, it, percent, cp01, hct, xman, Pepsi, miami, miamibc, petr0vich, Mr. ICQ, Tank, tankist, Kusunagi, Noname, Lucky, Bashorg, Indep, Mask, Enx, Benny, Bentley, Denis Lubimov, MaDaGaSka, Vkontake, rfcid, parik, reronic, Daniel, bx1, Daniel Hamza, Danielbx1, jah, Jonni, jtk, Veggi Roma, D frank, duo, Admin2010, h4x0rdz, Donsft, mary.J555, susanneon, kainehabe, virus_e_2003, spaishp, sere.bro, muddem, mechan1zm, vlad.dimitrov, jheto2002, sector.exploits and the JabberZeus Crew
Some of these individuals are said to have written the Zeus or SpyEye code, others are said to have developed exploits which helped infect victims’ computers. Others are said to be, or have recruited, money mules who laundered the proceeds of the criminal scheme.
Ultimately, the most important thing will be to bring those who write the malware, sell the malware, buy the malware, or profit from its use to justice. Taking over web servers is one thing, but unless the people behind the Zeus and other malware operations are brought to book, the crime is just going to continue.
Further reading:
- Read the full complaint against the Zeus botnet operators.
- Read “What is Zeus”, a technical paper by James Wyke of SophosLabs.
The whole botnet situation would not be such a problem today if Microsoft had not released such buggy and poorly developed software for so long. What is surprising is that computer users did not wake up long ago and adopt the safe practice of not using microsoft software
How little you understand. The many professionals such as myself who read these articles do so to improve our knowledge of the topic and are not interested in pointless editorials.
If they had, then it would be Linux, Mac or whatever else turned out to be the "prevalent" operating system. We would have the same issues with these, as well….. Admittedly, Linux, with its multitudes of free software and free distributions would mostly eliminate the whole "keygen" and associated trojan issue, however as has been proven time and time again, the cybercriminals would adapt and not only go after (or create) vulnerabilities in these systems, but many more malware would be written/aimed at Linux operating systems. In addition, there would be a paradigm shift in the social engineering aspect of infection, thus leaving people as vulnerable as they are now, with their Windows systems.
Statically Linux has by far much fewer bugs per line then Windows (I don’t remember the exact figures). The Windows code-base is larger than Linux with far fewer eyes to go thru the code. What did you expect the result to be?
Pete's right. For evidence we can look at the huge growth in the numbers of trojans and malware in Android phone apps that we're now seeing.
The naysayers have been saying that for years, about how market share of the operating system somehow attracts the security threats, but that's a strawman argument that's based on FUD (Fear, Uncertainly, and Doubt). The dominant platform in the server industry has been Unix and Linux, yet we don't see Unix and Linux servers being taken over like we do Windows PCs.
The root of the problem is that computers, and specifically computers running Microsoft Windows, were designed to be used by professionals in a closed environment. The Internet changed the threat level, but worse was adding tens of millions of users who were less interested in learning about how it works and more interested in chatting with friends and downloading free stuff online. It is amazing how many people I catch running their personal computers as the Windows root user. They don't want the hassle of having to enter passwords before installing anything, and they think that the bundled anti-virus running in the background somehow protects their PCs from all threats. With some of them, it's clear how much junk they download because their Desktop is littered with the icons of all the downloaded junk from the stuff they've installed. File extensions are hidden, and they have no clue what an executable is, or how a package installer works. They just click, click, click, and then move on to the next thing.
The problem is much reduced with Mac OS X, because you have to be interested in computer science enough to figure out what a root user is and how to enable it. Not so with Linux, but generally the people who look to use Linux will heed the warnings about not running as root, and they're smarter than most Windows and OS X users are about the potential security threats.
Malware is successful predominantly because the victims are stupid and gullible. That's how scams on social networks spread, by exploiting victims' urges to get a "free iPad Doesn't Exist before they're gone" or to "Turn your Facebook icon pink if you're one of the first 2,500 people to sign up for the Gold Plan Doesn't Exist." Then the scammer takes over the victims' PCs or online accounts, and uses them to attack others. When approached about the problem, one person I talked to about it said: "How do you know that, that it's not real?" Um, because your social networking page is filled with garbage that you're also sending to your subscribers, and because the stupid item that you think you're going to receive doesn't even exist! "I want to be sure, so I just click on everything," she said. Yeah, you and millions of others online.
Just look recently at how many people would give a potential employer their Facebook passwords. There shouldn't be anybody doing that, but there is a large minority of users who don't see anything wrong with it. Extend that to their online banking, and other systems, and the threat is revealed. These users are a security threat, willing to let their systems be compromised, and they don't care.
There are too many computer users who believe that computers are controlled by voodoo, and that's the biggest risk to a secure environment on a wide-area network.
Linux & UNIX servers don’t get taken down & abused? AHEM: BULLS****! Proof’s here (& this is only a TINY sample thereof):
LINUX SERVERS HOSTED THE DUQU MALWARE/BOTNET:
http://www.securelist.com/en/blog/625/The_Mystery_of_Duqu_Part_Six_The_Command_and_Control_servers
LONDON STOCK EXCHANGE SERVES UP MALWARE (it runs Linux):
http://www.securityweek.com/london-stock-exchange-web-site-serving-malware
LINUX BASED VOTING MACHINES SACKED BY MALWARE MAKERS/HACKER CRACKERS:
http://www.theregister.co.uk/2010/10/06/net_voting_hacked/
LINUX OWN SOURCECODE REPOSITORIES HACKED/CRACKED INTO:
http://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/
http://www.theregister.co.uk/2011/10/04/linux_repository_res/
Want more?
I can easily & GLADLY supply proofs of them, and far more, that illustrates this “Linux = SECURE” b.s. is just that, PURE b.s.!
The ONLY REASON Linux has remained less attacked on PC’s &/or Servers (key is that), is that it is LESS USED BY FAR on them both combined, & is using “security-by-obscurity” to spread FUD around that it is ‘secure’ &/or “proof vs. malware &/or hacks-cracks” of it!
See, usually, the “malware maker” of today in general is after monies, & the easiest “mark” (target)? THE END USERS!
No, not server admins (who generally should be more security knowledgeable, well, I take that back for Penguins, see above!).
The hacker/cracker types, & yes, malware makers/botnet masters??
They are JUST LIKE PICKPOCKETS in crowded streets, malls, train or bus stations… they go where people gather, and, face it: ON PC’S &/or SERVERS?? That’s MOSTLY Windows!
What futher proves my assertion that Linux is no more secure than any other OS? Android!
http://www.pcworld.com/businesscenter/article/226193/android_malware_sees_explosive_growth.html
Android is a Linux variant, albeit, one that has gained the “lion’s share” of market in users out there on smartphones & it is BEING TORN APART on the security front, daily…
How? Mostly by what rides on top of it (JAVA/Dalvik holes), but there have been kernel level issues too ->
That alone is a PROOF that once a Linux were to gain more marketshare? It too, will be attacked, & do no better (possibly worse considering the above) than Windows.
Apple, via MacOS X, made the same “blunder” attempting to say “MacOS X = Secure” & Windows is not too… look what it got them! Yes, virus & malware too… despite that utter line of FUD b.s. from they as well!
APK
P.S.=> Want more proof of any statements of mine above? I can gladly, & EASILY, supply it in minutes… just ask – I, in turn, ask that the ‘flood of FUD’ from the “Pro-*NIX” people here cease, because I can show that for EXACTLY what it is (FUD) & that Linux and yes, MacOS X, were and ARE hiding behind “security-by-obscurity” (lack of users to attack, especially end users who are not “computer security gurus” & thus, are the “easy meat” to go after, & they’re after their MONEY, it’s not a kids’ game anymore))… apk
Android is not linux. It is linux based. The kernel is not the linux kernel, the code is closed source, and the security of Java is almost non existent leading to the vulnerabilities seen in Android.
Linux servers hosting malware does not equate to vulnerabilities in Linux. The servers hosting the malware are not infected. Weak passwords, social engineering, and web based application flaws are why we see malware hosted on these servers.
The fact that you believe the MS codebase is just as secure as the Linux codebase belies your lack of understanding on the subject of security. Don't think for a moment that when the U.S. Dept of Defense chose Linux as their primary OS, the decision was made lightly. Microsoft and Apple just didn't pass muster. The same holds true for the FAA, the U.S. submarine fleet, Google, IBM et. al.
Since you seem to be so sure of yourself on this one, I'd be happy to hear your arguments and evidence that MS Windows is just as secure as Linux.
So, to kick it off, here are the direct problems with your assertions thus far.
LINUX SERVERS HOSTED THE DUQU MALWARE/BOTNET:
This was a password brute force attack. aka a weak password. Could happen to any OS. Found this out by following your link. Who is spreading the FUD here?
LONDON STOCK EXCHANGE SERVES UP MALWARE (it runs Linux):
The Malware was spread via an ad-share system. Found this out by following your link. Who is spreading the FUD here?
LINUX BASED VOTING MACHINES SACKED BY MALWARE MAKERS/HACKER CRACKERS:
The OS remained secure but the ruby on rails application running on the webserver was very badly written. It was never actually attacked. The article is about security researchers uncovering problems with the application, not the OS. Found this out by following your link. Who is spreading the FUD here?
LINUX OWN SOURCECODE REPOSITORIES HACKED/CRACKED INTO
Again, no one hacked these servers. The attack came from stolen credentials. They simply logged in. Those credentials were used to install a root kit. Found this out by following your link. Who is spreading the FUD here?
Your move sir.
Does Android use a Linux kernel? Yes. It is indeed, a Linux variant then, no questions asked.
Linux gets chosen over Windows for 1 reason usually: Zero cost of purchase. Keeps unit costs of projects and things like phone handsets down.
Now, per what’s in my p.s. below AND above (more exploits of various Linux kernel distro source repositories, worms on Linux, bugs in the Linux kernel (some fixed of course, just making a point it has been ‘hit’ that way too over time & FAR MORE))?
WELL… You can make ALL THE EXCUSES YOU LIKE, & try to put a “spin” on it, but Linux does get “taken advantage of”, & just like Windows usually does, by things that run ontop of said kernel and in the kernel itself, if not how it is setup very weak by its administrators in its sourcecode repositories even.
Now, above all else, answer me a question:
IF LINUX IS “SO GREAT” WHY IS IT DEAD LAST IN TERMS OF OVERALL MARKETSHARE ON BOTH PC’S &/or SERVERS COMBINED THEN?
APK
P.S.=> All the “spin” in the world like you’re attempting doesn’t turn away the fact that yes, Linux has had kernel vulnerabilities and has been taken advantage of!
So, that said?
Here’s some MORE examples (although its kernel repositories @ kernel.org being ‘busted into’ isn’t speaking worlds about it, or even IF something hasn’t been ‘snuck into’ it via some obfuscated code trick or other means (the servers it resides on being compromised in some sneaky way)):
GNOME TERMINAL BUG:
http://linux.slashdot.org/story/12/03/08/1441215/data-breach-flaw-found-in-gnome-terminal-xfce-terminal-and-terminator
LINUX ADORE WORM:
http://news.cnet.com/2100-1001-255283.html
LINUX LION WORM:
http://news.cnet.com/2100-1001-254672.html
LINUX BOTNET (MacOS X too):
http://www.theregister.co.uk/2011/01/19/mac_linux_bot_vulnerabilities/
LINUX BITTEN BY KERNEL REGRESSION BUG 2nd TIME:
http://www.theregister.co.uk/2010/09/15/linux_kernel_regression_bug/
LINUX EXIM BUG:
http://www.theregister.co.uk/2010/12/11/exim_code_execution_peril/
LINUX KERNEL BUG GAVE HACKER/CRACKER BACK DOOR:
http://www.pcworld.com/businesscenter/article/205867/linux_kernel_exploit_gives_hackers_a_back_door.html?tk=hp_new
LINUX GOES DOWN FIRST HOUR ON THE JOB @ LONDON STOCK EXCHANGE:
http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch
LINUX KERBEROS SECURITY BUG:
http://news.slashdot.org/story/11/02/15/2344257/Remote-Bug-Found-In-Ubuntu-Kerberos
LINUX BASED ROUTERS FALL TO SECURITY BUG:
http://www.theregister.co.uk/2011/03/10/router_rooting_malware/
CRITICAL WIFI SECURITY BUG IN LINUX:
http://it.slashdot.org/article.pl?sid=07/04/15/1515259
REDHAT & FEDORA ROOT SERVERS COMPROMISED:
http://linux.slashdot.org/article.pl?sid=08/08/22/1341247
UBUNTU SERVERS HACKED:
http://it.slashdot.org/it/07/08/15/1341224.shtml
WEAKNESS IN LINUX KERNEL BINARY FORMAT:
http://it.slashdot.org/it/06/10/03/2122220.shtml
LINUX KERNEL BUG ALLOWS ROOT EXPLOIT:
http://linux.slashdot.org/story/10/09/20/0217204/Linux-Kernel-Exploit-Busily-Rooting-64-Bit-Machines
LINUX SUFFERS USB AUTORUN HACK:
http://linux.slashdot.org/story/11/02/07/1742246/USB-Autorun-Attacks-Against-Linux
UBUNTU SERVERS HACKED:
https://wiki.ubuntu.com/UbuntuWeeklyNewsletter/Issue52#head-b009291e4151391137b8f04a53adea995d0ee280
JAGUAR XJR SUFFERS CRASH ON LINUX:
http://tech.slashdot.org/story/10/08/14/1313256/New-Jaguar-XJ-Suffers-Blue-Screen-of-Death
LINUX KERNEL BUG ALLOWS ROOT PRIVELEGE ESCALATION:
http://linux.slashdot.org/story/10/08/19/2133246/Root-Privileges-Through-Linux-Kernel-Bug
LINUX PASSWORD BUG – READABLE IN CLEAR TEXT:
http://it.slashdot.org/it/06/03/13/0525254.shtml
LINUX PASSWORD SECURITY VULNERABILITY EXISTED FOR 13++ YRS. BEFORE GETTING FIXED:
http://it.slashdot.org/story/11/06/20/2257229/13-Year-Old-Password-Security-Bug-Fixed
Oh, on your comment that “Windows didn’t pass muster”? Which OS had C2 Orange Book level security FIRST, Windows NT-based OS, or Linux??
Afaik?? There are NO “A” rated OS that are in mainstream commercial usage (could have changed though) & also, afaik? Only HP/UX has gained B2 level certification…
APK
P.S.=> Did you also know that Linux MAC (mandatory access control – a ‘copy’ of what existed on Windows NT-based OS in ACL’s for years @ the filesystem + registry level no less) was not even PRESENT in Stock/OEM Linux, until the NSA “bolted it on” & many complain it’s a bitch to setup & use (no more than securing Windows though), AND, that because Linux lacked TRUE usermode threads & completion ports work as well as re-entrant code, it was not considered a SERVER CLASS SMP READY OS for years AFTER Windows NT based OS as well?
Yes, they had to COPY MICROSOFT for those things essentially (& “imitation is the sincerest form of flattery”)… apk
MORE “GOOD SECURITY SHOWINGS” (not) from LINUX:
—
Linux Foundation, Linux.com Sites Down To Fix Security Breach: (lol)
http://linux.slashdot.org/story/11/09/11/1325212/linux-foundation-linuxcom-sites-down-to-fix-security-breach
—
Linux’s showing in CA’s breached recently too? Ok: (very, Very, VERY BAD for ecommerce, online shopping, banking, etc./et al)
http://uptime.netcraft.com/up/graph?site=StartCom.com
http://uptime.netcraft.com/up/graph?site=GlobalSign.com
http://uptime.netcraft.com/up/graph?site=Comodo.com
http://uptime.netcraft.com/up/graph?site=DigiCert.com
http://uptime.netcraft.com/up/graph?site=www.gemnet.nl
The list of CA Servers BREACHED that RUN LINUX (StartCom, GlobalSign, DigiCert, Comodo, GemNet)… per these articles verifying that:
http://itproafrica.com/technology/security/cas-hacked/
&
http://threatpost.com/en_us/blogs/site-dutch-ca-gemnet-offline-after-web-server-attack-120811
—
The Stratfor SECURITY hack: (can’t blame it on poor setup, this IS a security firm that uses Linux)
http://yro.slashdot.org/story/11/12/28/1743201/data-exposed-in-stratfor-compromise-analyzed
What’s that domain run? Yes kids – you guessed it: LINUX -> http://uptime.netcraft.com/up/graph?site=www.stratfor.com
—
Phishers/Spammers FAVOR attacking LAMP: (Linux, Apache, mySQL, PHP)
http://www.theregister.co.uk/2011/06/10/domains_lamped/
PERTINENT QUOTE/EXCERPT:
“Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey. Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers”
—
APK
P.S.=> Put ALL THE “SPIN” YOU WANT TO *TRY* TO PUT ON THE ITEMS I HAVE POSTED REGARDING FAULTS IN SECURITY ON LINUX YOU LIKE, but, the fact remains that it’s been torn up too, and ANDROID (yes, it is a Linux variant) only shows that even moreso…
What was it YOU said earlier now?
“Your move, sir”
Go for it – I gave you enough to ‘chew on’ for awhile in my 3 replies to you now… good luck ‘disproving’ them (or rather, putting your “spinmaster tactics” to work)… apk
Peter, my love, I missed you so much, you and your clueless incoherent rants about linux security.
Your Precious
@ APKLover – Is THAT “the best you’ve got”? Off-Topic illogical FAILING ad hominem attacks?? Face facts – YOU, fail… period!
APK
a pity MS can’t afford to have this video’s speech in sync
Patching your system would be a good start but unfortunately people seem to ignore this first basic step even.