The past few years, it seemed as if virus writers had moved away from doing actual damage to systems to instead focus on stealth, so that infected machines can silently, and unknowingly, be used for all sorts of malicious practices. Sadly, there are still those crackers out there that prefer the old-fashioned approach to these matters. The result: 100000 ruined Windows machines.
Zeus is a family of Windows malware that is special in that it has the uncanny ability to look completely unique on every infected machine, making it very hard to detect and remove it. Zeus is sold in kits for about 700 USD to all sorts of people with criminal intentions.
Zeus is also special for another reason: it has a kill switch, called “kos” (kill operating system). The help file (!) has this to say about it (Google translation):
kos – incapacitate OS, namely grip branches HKEY_CURRENT_USER registry and / or HKEY_LOCAL_MACHINE. If you have sufficient privileges – fly to “blue screen”, in other cases creates the brakes. Following these steps, loading OS will not be possible!
Roman Hüssy, a 21-year-old Swiss information technology expert, follows various Zeus servers, and was surprised to learn that this switch had actually been used on a botnet of about 100000 machines, located mostly in Poland and Spain. This is surprising because it’s counterproductive for crackers to shutdown a botnet.
Hüssy says he has no idea why the kill switch was flicked. “Maybe the botnet was hijacked by another crime group,” he said. It could also be, he explained, that it happened by accident. “Many cyber criminals using the Zeus crimeware kit aren’t very skilled.”
Another likely explanation, offered by S21sec.org, is that the botnet was shutdown so that the crackers get some extra time. “Taking the victim away from Internet connection – before the unwanted money transfer is realized and further actions could be taken.”
In any case, all the more reason to properly secure your Windows machines, or to switch to alternatives such as Linux and Mac OS X.
This is a good thing. Virii that kill their hosts die out in both computers and nature.
Why ebola never turned into a plague — burns itself out.
BTW, the plural of “virus” in English is “viruses;” in Latin, the plural is “viri.”
There is no plural for “virus” in classical Latin. In modern Latin, it would be “vira.”
http://en.wikipedia.org/wiki/Plural_form_of_words_ending_in_-us
Edited 2009-05-09 07:26 UTC
I stand corrected — thanks!
I did look up the word in the Latin dictionary, and I declined it as a masculine noun. But as the Wiki page explains, that is not recommended because there are no recorded examples of pluralizing neuter nouns ending in “-us”.
Edited 2009-05-09 07:59 UTC
Anyone else thinking or a particular scene in “Life of Brian”?
Haha.. I watched that scene just yesterday
Personally, I think it would be much better for us to drop all the pedantic anal-retention regarding pluralization and other silliness, and standardize this stuff. It is the pedants who are responsible for much of the mess that the English language has become. Pluralization should involve adding an ‘s’ (or ‘es’ if the word already ends in s). What’s the point in maintaining all the cruft regarding where the word originally came from and how pluralization was done in that, possibly even dead, language? It makes no sense other than possibly to give certain people a smug sense of being educated because they say indices instead of indexes, or radii instead of radiuses. This is English, not Latin, or French, or German, or freaking Dutch. And in English these are now English words and should be pluralized in the way English normally handled pluralization. (And don’t even get me started on “words” like ‘boxen’!)
Of course, I’m also in favor of complete reform regarding our rampant irregular verb problem, and a proponent of phonetic spelling. I suspect that much of this will happen over time. As English has spread around the world, and is brought into heavier daily use by the popularity of the Internet, more users of English are naturally using the forms which seem most logical and sensible, eschewing the ridiculous old cruft that ‘educated’ people cling to. And the pedants are loosing some of their influence.
You’re from the US, aren’t you?
Steve,
The language we share has a rich and varied history, with words of many origins. It is complex, but at the same time that is what gives it the richness it has.
My comment about your origin (since you ask) was because it is just SO seppo to want to reform the entire thing into a bland broth of phonetics.
Its been done once already. Further bastardisation will only widen the gulf between “US English” and the English spoken by the rest of the world. Will that really simplify things?
Besides, the last attempt at changing spelling to match pronunciation has only further skewed the pronunciation of many words. You buggers speak funny as it is
Virus is a actually a created 20th century English word with a Latin stem meaning alive. The original scientific term is filterable virus. The correct plural is viruses.
I was only talking about the Latin terms. The English plural is viruses of course.
errr… but virii is the proper plural in l33t, wasn´t it? 😉
In nature this is a mistaken view – it is true that viruses that adopt a typical long term parasitic relationship with their host will tend to become less virulent as the virus has a vested interest in its hosts survival, sometimes to the point where the virus ceases to be pathogenic, the integration of viral code into the human genome illustrates this.
However, this isn’t the only strategy – a virus that uses its host only briefly has no interest in its hosts survival, only rapid and effective transmission. For example very rapid dispersal and rapid transmission coupled with a high mutation rate – the common cold, or high virulence and rapid dispersal such as smallpox or rabies.
Fortunately I can’t envisage the computer equivalent of rabies so hopefully no one will get bitten by a PC foaming at the mouth.
They’re only Winblows boxes anyway.
I wish i could mod this down more then once.
I hate to blatantly agree, but alternatives to Windows are out there…
Yes, I’m sure the majority of people who this affected care about alternatives enough to want to bother trying to use them. This has less to do with Windows and more to do with the person operating it. But that’s alright, even though alternative operating systems don’t cure ignorance feel perfectly welcome to keep inviting them over to your platform so the cross-hairs of the mal-ware developers and bad press will shift somewhere else for a change.
If you took the time to notice there is a trailing dots afterwards to indicate the simple problem: the end user moves operating systems and they can’t run the software they like from the vendors they trust (aka, I want PrintShop Pro but the company doesn’t make a version to run on the operating system I’d like to run), the hardware – even when the operating system is bundled with the hardware isn’t fully supported (HP claiming SLED supports their laptop but the reality is that it is mired in problems).
With that being said, however, you are right – the weakest link is the end user; the patch that stops the conflicker worm from being spread was released October 28, 2008 last year and yet we have people here bending over backwards to justify the laziness of end users.
To those who blame the operating system company after they release an update months before the worm/exploit hits the web: Is it the fault of the oven company when someone puts on a dinner, walks away, and then the food gets burnt? is it the fault of the microwave company when the microwave blows up because someone puts a metal dish in it?
Edited 2009-05-09 06:39 UTC
Um… Yes?
j/k
In this case alternative are to blame , but not in the way you think , I don’t get why Alternative OS are not offering OS , free instalation and free suport to those in need. That would solve the Microsoft problem entirely in these cases.
Hardware problem ? return it for a refund or an exchange , or sue for false delivery … If your hardware is old , and don’t work with alternative , change or upgrade it.
For the software problem , you are the paying customer stop paying for single OS software maker.
It’s fun to read ” expert ” say that **conficker** is solved and that a patch exist …
http://en.wikipedia.org/wiki/Conficker
Many names , many variant , constantly updated , the real expert have no clue how it works or how to stop it but the “Microsoft security expert” and “internet forum security expert” say t’s solved … Bullshit.
Yes it’s the fault of the microwave company too , just add a simple metal detector and the microwave will refuse to start make it mandatory … exploding and dangerous thing are the responsability of the manufacturer and it’s their sole duty and first priority to eliminate them completly.
Since Microsoft is a real security problem and threat, ISP should have a first step before they let people browse the net , verify that their Microsoft OS user’s have a patched OS and that they use legal copies.
Your “no one is to blame and it’s always other people fault” is what led to this problem in the first place … They probably thought like you that by ignoring the problem it would simply go away …
Edited 2009-05-09 08:58 UTC
Yeah, except for the fact that Microsoft patches are notorious for breaking stuff in all kinds of ways.
Suddenly, a piece of software that you have been running for years and on which an entire company depends, no longer works. Suddenly, a patch to w2k3 server makes it very hard for winxp clients to connect to a windows domain the first time, throwing an rpc error, unless you know the specifc steps to work around it.
So, give it a break. Lots of people cannot afford to upgrade the instant that patches are released becasue all too often shit breaks.
And dont tell me to get a backup server to test patches on, becasue there are too many servers each with its specific function and purpose and it simply isn’t financially feasible to have two of everything.
We have progressively moved to linux on most of our servers and have had zero issues with patches in five years.
I understand where you are coming from but at the same time I find it difficult to understand why you would keep with third party vendors whose products are of such low quality that it breaks on updates. What that tells me, when they do break is that they aren’t programming according to what has been documented and instead using undocumented hacks, failing to update their software when Microsoft fixes up win32 errors (and update the documentation on their MSDN website to reflect those changes).
Heck, I remember when Windows XP SP2 was released there was a list of ‘safe win32 API calls’ which they encouraged third party vendors to use over the unsafe ones – did anyone in the third party software community listen to them? it seems that all the advice and suggestions of Microsoft fall on deaf ears because programmers in these third party software companies think they know better than Microsoft.
You as an end user/customer have to start putting the hard work on these third party vendors whose software breaks when you apply updates to get their act together; unless you make some noise, the third parties will never get the message to shape up.
The security by design of other platforms combined with the larger developer base and rate of bug patching… I’d be very interested to see the outcome if/when other platforms become targeted more directly.
Apple faithful will benefit from that company being forced to focus on security more. The more libre platforms already enjoy attention to security with the exception of a few distributions that break it intentionally.
..they could still send out spam, steal credit card numbers or attack someone’s servers.
Die, you unpatched machines, die!
From the sound of the rather broken translation, it seems the kill switch works by messing up the registry. Would booting under last known good configuration let you get your system booted again, at least temporarily? It didn’t say whether it attacks the backup registry files. I’d be surprised if it didn’t, but malware writers have missed the obvious before.
I’m very glad of two things. One is that I do not use Windows, and the other is that at least this malware doesn’t do any actual hardware damage. Anyone remember some of the old DOS viruses that actually destroyed certain types of hardware by corrupting its firmware? Granted, modern oses don’t usually allow that type of direct hardware access, but still… if a driver did allow it, malware could use it for nasty purposes.
Hopefully this one dies out like most other viruses that kill their hosts, but somehow I don’t think so. This one doesn’t automatically kill every system it’s installed on, the killswitch is under the control of the hacker and, I would assume, could actually be applied to specific machines not just the entire botnet.
It doesn’t take away from your point but it’s a matter of using the correct terms being that this is a technology site.
I think you mean “criminal” not “Hacker”. The latter being an enthusiast mind set not inherently criminal in nature. If someone’s running a botnet, they aren’t a hacker, they’re just another criminal playing with scripts. There is nothing elegant, creative or witty about releasing botnet malware or any other viral code on public networks.
http://blogs.techrepublic.com.com/security/?p=1400
or
http://catb.org/jargon/html/H/hacker.html
where you meant
http://catb.org/jargon/html/C/cracker.html
or simply “Criminal” as we don’t really need a new word to describe the act of harming others for profit or thrills.
Were I to create a botnet, I would include a killswitch for it and charge a subscription fee to the organisations that wanted to use it. The killswitch would be there to deal with non-paying clients by shutting down the botnet. If it’s easy enough to rerelease the virus or worm into the wild, it’s not a major loss.
Edited 2009-05-09 05:11 UTC
Years ago I had a friend playing with a bit of shareware he had written. He was musing about a killswitch instead of a simple expiry time period on his shareware; it would overwrite the fat table with 0s.
He didn’t ever release his code with such a bomb in it but I think that’s along the same lines.
If he seriously considered putting a kill switch in a piece of shareware – he is probably writing viruses and selling botnets for a living now (or working for microsoft).
Well, he is writing software but nothing so dramatic or remotely malicious. We all do stupid things in highschool. It’s the one’s that don’t ever grow beyond that which become a problem.
Thom,
I have no idea why you consider these machines as “ruined”. If such a bot goes down it’s most likely a good thing. How else would the semi-ignorant webmaster get pushed to actually fix things instead of looking away?
When reading how this guy just deleted unwanted files without taking further action this almost made me laugh. What kind of sillyness is this? Are we really expected to send sensitive data to people which don’t even know how to turn the key in their vault’s lock?
With some luck, a culture of setting botted servers offline will evolve. Kill the botnets by their own weapons. This would undoubtly give the evils a hard time.
Traumflug
Exactly. I’d much rather see infected machines disabled or directly damaged than have them doing christ knows what to the rest of the net.
Who knows maybe it’ll teach them to secure their systems properly next time
oh what a great loss, some dead w-i-n-b-l-o-w-s machines… how terrible
Sadly..?
So you would rather welcome a stealthy rootkit that leaves your computer performing just fine, while it steals all your passwords, accounts, and whatever other info that you happened to have placed on your computer?
I would much rather have a virus that casues my computer to BSOD as soon as it got infected, at least then I dont have to worry about working on an infected machine. I can just boot up to a livecd, copy off all my documents and data, and wipe out the windows/boot partitions and start fresh.
I think most people would agree…
I’m from Poland working in IT and I think I should hear something about “dying” 100000 windozes, but I only heard about it from OSnews. At least the number of killed machines doesn’t look plausible.
If this virus has a kill switch maybe others do as well? It would be a shame to force a whole bunch of people to reload there OSes, etc. but think about the implications of taking down massive numbers of machines “unwitting” participating in all kinds of suspicious behaviors.
If the users of most of these machines brought them back online with protection to prevent it from happening again the impact on reducing cyber-crimes could be quite impressive. …at least until the criminals regroup.
I don’t know if this is a good idea or a positively evil one…