Crooks who create botnets with the help of crimeware kits SpyEye and ZeuS are actively venting their frustration with two Web services that help ISPs and companies block infected machines from communicating with control networks run by these botmasters. The lengths to which established cyber criminals are willing to go to disable and discredit these anti-fraud services provide convincing proof that the services are working as designed, and that the bad guys are suffering financially as a result.
The creations of Swiss security expert Roman Hüssy, ZeusTracker and its sister service SpyEye Tracker have endured countless distributed denial-of-service (DDoS) attacks from botmasters apparently retaliating for having their network infrastructure listed by these services. At one point, someone wrote a fake suicide in Hüssy’s name and distributed it to his family and friends, prompting local police to rouse him from slumber to investigate his well-being. But, those attacks haven’t deterred Hüssy or sidelined his services.
Now, the attackers are beginning to consider stealthier and more diabolical ways to strike back. A series of discussions on an uber-exclusive Russian language forum that caters to identity and credit card thieves reveal that botmasters are becoming impatient in their search for a solution that puts Hüssy and/or his tracking services out of commission once and for all (click the images in this post twice to read along).
“DDoSing doesn’t bring satisfactory results. We’re now working on mapping his entire infrastructure, flag his scripts,” writes a user named Sal, who claims to specialize in providing bulletproof servers. “Now we will engage in a pinpointed assault. This should be cheaper + should bring results at least temporarily….Let’s brainstorm here.”
Other members join the discussion. One suggests pooling funds to hire a hitman. “It’s easier and more productive to just use a joint fund to hire a killer, and story’s over,” writes user “Femar.” Another forum member named “Deviant” recommends dosing Hüssy with organic mercury. “Dimethylmercury – the fluid has no color. One drop on your hand will penetrate thick latex gloves. Lethal result is guaranteed within one month.”
But forum members seemed to coalesce around an idea for seeding the ZeuS and SpyEye configuration files (those that list the location of key parts of the botnet, such as the place to deposit stolen data) with legitimate Web sites. Their stated goal? To cause SpyEye Tracker and ZeuS Tracker to flag legitimate sites as hostile, and thereby to lose credibility with ISPs that rely on the trackers.
I caught up with Hüssy via instant message yesterday, and asked whether he’d seen any SpyEye or ZeuS configuration files seeded with legitimate sites. He just laughed.
“ZeusTracker checks if a command and control server is really up before adding it to the blocklist,” Hüssy said. “These guys have no clue how ZeusTracker works.”
Toward the end of February, a user named “Hobo” from the criminal forum refreshed the discussion about taking on Hüssy’s creations, observing that “A month has passed and the tracker is alive and kicking, more than ever.”
Sal responds by acknowledging that the blacklist plan didn’t seem to pan out. “Hobo, it’s too expensive to shut down. I was the only one with the initiative. It would be cheaper to resolve the problems in the way our system works. Nevertheless, this was not a useless effort. I understood what I needed from [ZeusTracker] work methods, filtered away a lot of bots, and made Roman Hussy pay exactly what he cost me. Made myself and my clients safe. Still, we’re interested in actively working against the tracker, but I need people that share my ideas, as I don’t have a lot of time to spend on this. Me and my employees don’t have the time to make ALL the ideas we accumulated here work. And I’ll say this now — I don’t need the money. I need participation.”
Sal closes by wryly noting that having ZeusTracker and SpyEyeTracker around isn’t all bad, because it tends to do a good job of killing off botnets run by novice hackers who don’t know to watch out for the services.
“P.S. – this is directed to people that do hosting around here, if you learned to fight the tracker, having it around is pretty valuable since all the newbies and users of publicly available trojan versions go down quickly with it, but my altruism will die last!”
It appears that the latest salvo against Hüssy’s projects comes straight from the author of SpyEye himself: According to a blog post from RSA FraudAction Research Lab, the latest version of SpyEye ships with a plugin that is configured to attack the SpyEye Tracker domain that is dedicated to tracking SpyEye command and control servers. From that post:
“It is worth noting that more recent versions of SpyEye support the inclusion of separate modules, in the form of distinct DLLs. The Trojan’s builder is even sold with a Software Development Kit (SDK), to facilitate the development of new modules by individual botmasters. This enables cybercriminals to independently author various plug-ins, like the DDoS plug-in we traced, and include them in their own SpyEye variants.”
RSA said it also found a variant of SpyEye that employs the bogus configuration file listings discussed in the fraudster forum.
“The FraudAction Research Lab recently uncovered this exact kind of contaminated configuration in a variant of SpyEye 1.3.10 (the latest SpyEye version seen to date). In addition to genuine SpyEye drop points — collectors.txt — the file used to configure the Trojan’s drop points, was found to contain legitimate domains, such as google.com, myspace.com, and vkontakte.ru (a popular Russian social network).”
It’s not often we get such a ground-level detail on how the criminals view the effectiveness of the countermeasures deployed against them. But it is clear from these and other threads on this forum that the botmasters will continue devising new methods of disabling the trackers. As Sal puts it, herding bots is a living, not a hobby.
“I’m not doing this as my hobby,” he wrote. “You think I’m afraid of anything? I have no time to be afraid. I’m working.”
Update, 9:54 a.m. ET: An entity that provides DNS services to ZeuSTracker and SpyEye Tracker sent me the following data showing recent traffic spikes from DDoS attacks.