Dancho Danchev wrote about a vulnerability found in Zeus, a crimeware kit circulating widely. Danchev explains:

The vulnerability allows the injection of logins and passwords within any misconfigured web interface, due to the way in which Zeus is processing php scripts (web shells and backdoors) from the directory in which it stores the stolen data. Ironically, ‘Zeus users are advised to take care of their directory permissions, and forbid the execution of scripts from the folder holding all the encrypted stolen information’.

“The implications of this flaw are huge, since, what used to be the practice of hijacking someone’s misconfigured botnet a couple of years ago, is today’s hijacking of the malware campaigns’s command and control interface, which on the majority of occasions is left accessible to everyone – including independent researchers and the security community.

The Zeus Trojan kit is available on the market for around $700, and Danchev writes in a previous post that the Zeus kit has been used more than 150 times and attacks around 4,000 computers per day. Similar to popular software receiving unwanted attention from hackers, the prominence of this badware led to increased attention from the security community, leading to the discovery of this vulnerability.

In an additional twist, the Russian Business Network, which has been associated with creation and distribution of the Zeus kit, is actively working to protect their intellectual property from security companies and their customers. RBN has threatened to sue security companies for blacklisting their products.

The RBN even includes an EULA when they sell the crimeware kit:

The help section of the latest version of the Zeus malware states that the client has no right to distribute Zeus in any business or commercial purpose not connected to the initial sale, cannot examine the source code of the product, has no right to use the product to control other botnets, and cannot send the product to anti-virus companies.

The RBN threatens to release information on their customers if they violate this agreement and to require customers to purchase future updates. Would they pursue lawsuits against bot herders who modify their software kit without permission?

Danchev asks what would happen if the security community began unethically pen-testing the Zeus network in order to estimate the size of the botnet. Would the RBN seek to protect its intellectual property, thereby claiming ownership of the Russian Business Network infrastructure (botnet) in order to sue trespassing parties? As crimeware becomes more commercialized, the badware authors have more invested in protecting their investments in intellectual property and infrastructure. It will be interesting to see how the current legal structure can be applied to regulate the development of the malware industry.

Last week Symantec Corp released a security report summarizing findings from the last six months of 2007. Similar to findings in StopBadware’s Trends in Badware 2007 report, Symantec finds that badware, malware, spyware, and bots develop rapidly in the current internet environment.

Symantec reports that the second have of 2007 has seen a rapid expansion in the amount of bad code generated: “In the second half of 2007, 499,811 new malicious code threats were reported to Symantec, a 136 percent increase over the first half of 2007.” Within this sample, the report states that:

• “Symantec identified 11,253 site-specific cross-site scripting vulnerabilities in the last six months of 2007, compared to 6,961 in the first half (though with measurement beginning only in February).”

Site-specific cross-site scripting is a technique used to initiate drive-by downloads, an increasingly popular method of distributing malicious code to users. These downloads can be executed in a variety of ways with iframes located within the body of a website or hidden in third party advertising.

• “The Symantec Probe Network detected a total of 207,547 unique phishing messages, a five percent increase over the first six months of 2007. This equates to an average of 1,134 unique phishing messages per day for the second half of 2007.”

• “Threats to confidential information made up 68 percent of the volume of the top 50 potential malicious code infections reported to Symantec.”

This threats relates to identity theft, bank or Paypal account information. In short, badware producers maintain their focus on these types of data, but are developing new methods of accessing it.

The Symantec report documents a shift towards organization, refinement, and a trend towards organization similar to legimitate industry. Matt Hines at PC World writes:

“From the groups of exploit developers marketing malware toolkits to aspiring attackers to the people buying and selling stolen credentials, the entire landscape of electronic crime is taking off and increasingly resembles the security software community that is working to thwart it.”

The report also discusses an evolution occuring in Botnets. The number of command-and-controlled servers associated with botnets has declined, while the number of operational botnets has remained higher than expected. Symantec attributes decreases in the prevalence of botnets to “better detection solutions and methods,” and suggests that botnets are now being controlled through methods such as HTTP or P2P, both of which are currently more difficult to detect.

Owen Thor Walker, an 18-year-old whose online alias was Akill, assumed responsibility for invading a network of 1.3 million computers, causing havoc at the University of Pennsylvania in 2007, and skimming an as-of-yet unknown amount of money from banks in the Netherlands.

The incident at UPenn occurred when Walker and Ryan Goldstein were attempting to update their botnet. While the denial of service attack affecting UPenn was accidental, it did lead to the arrest of Goldstein, who in turn directed police to Walker. The New Zealand Herald writes “While the New Zealand police were waiting for the FBI to finish its investigations” the NZ police began investigating several large deposits into Walker’s bank account. These were traced to ECS International, a company reported to be connected with similar situations. Walker claims to have sold his code to other people, and no one seems to know what happened to the skimmed money.

According to Technology Review eight people have been indicted, plead guilty, or convicted and an additional 13 warrants have been issued in the United States and abroad in association with this case. Walker’s supposed role as “kingpin” has not lead to additional charges. The ITNews Australia writes that Judge Arthur Tompkins “would not be considering a custodial sentence” due to Walker’s youth when writing the code—he claims to have been 15 at the time.

Botnets are devious. The New Zealand police are quoted by NZ Herald as saying Walker’s code is “considered by international cyber crime investigators to be among the most advanced bot programming encountered,” as it spread automatically, disabled anti-spyware software, deleted rival bots, and functioned mostly without detection. The Anti-Spyware Coalition provides an excellent definition of botnets:

A type of Remote Control Software, specifically a collection of software robots, or “bots,” which run autonomously. A botnet’s originator can control the group remotely. The botnet is usually a collection of zombie machines running programs (worms, Trojans, etc.) under a common command and control infrastructure on public or private networks. Botnets have been used for sending spam remotely, installing more spyware without consent, and other illicit purposes.

Botnets have been used for a variety of nefarious purposes from those listed above to last year’s attack against Estonia.