Botnets: They do have the option to self-destruct
- Date: May 25th, 2009
- Author: Michael Kassner
- Category: Security
- Tags: Financial, Security Expert, Operating System, Malware, Bot, Computer, Bot Malware, ZeuS, Prevx, Spyware, Adware & Malware
Self-destruct code is often written into bot malware. Up until recently that wasn’t considered an issue. So, what changed and what does it mean to us?
——————————————————————————————————————-
I first learned about the use of self-destruct code in 2007 when I read an ITU report, Zombie Botnet Mitigation Project: Background and Approach. The report mentioned how certain bot malcode was programmed to destroy all resident data files if there was an attempt to remove the malware. Man, that’s harsh.
All-purpose kill switch
Wanting to know more, I began researching the how and why of kill switch software. One thing became very apparent. Self-destruct mechanisms can be used for more than just expunging data. In fact, botmasters have almost god-like authority over compromised computers. It appears that the worst case scenario would be when an instruction from the bot’s command and control server activates a process that completely destroys the operating system. Losing data doesn’t seem so bad all of a sudden.
When are kill switches used
Whether a kill switch is used or not, appears to be up to the whim of the botcode developer. I did find one exception though. It seems that a self-destruct mechanism is always part of malware targeting financial institutions. InfoStealer, ZeuS, and Nethell are three such examples.
ZeuS in particular
The ZeuS bot malware is of special interest, having successfully created at least one botnet containing over 100,000 members. The following slide, courtesy of Prevx, shows the world-wide distribution of the botnet:
As I mentioned earlier the ZeuS botnet is entirely focused on gaining access to financial information. The security product developer Prevx describes ZeuS as:
“Information stealing software aimed at the ever-growing market for financial information stolen from banks, ecommerce web sites and personal computers.”
ZeuS is also unique in that it’s for sale. This allows anyone, even those with less than stellar programming skills to create sophisticated botnets. Prevx explains further:
“The DIY “exe builder” for the Zeus Trojan can be bought online for just $4,000. Each Zeus Trojan build incorporates a kernel level rootkit, which means it can hide from even the most advanced security software.
There seems to be some confusion as to the cost of the ZeuS package. I’ve seen the price range from as low as $700 to the $4000 mentioned by Prevx.
Self-destruct option
If you remember, I mentioned that ZeuS is one of those special cases of bot malware that has a self-destruct option built into the software. Reverse engineering the code wasn’t even necessary to determine that; the help file supplied with ZeuS was kind enough to explain the self-destruct command (courtesy of abuse.ch):
KOS: incapacitate OS, namely grip branches HKEY_CURRENT_USER registry and/or HKEY_LOCAL_MACHINE. If you have sufficient privileges - fly to “blue screen”, in other cases creates the brakes. Following these steps, loading OS will not be possible!
The translation to English may not be perfect, but it’s obvious that the self-destruct sequence (Kill Operating System) in ZeuS is not the kind that just destroys data files. In this case it appears that initiating the KOS command results in the botnet’s computers going into a “blue screen of death” condition, preventing the operating system from booting.
KOS command issued
I’m afraid to say that all this discussion about the ZeuS malware and its self-destruct option wasn’t just a what-if exercise. In early April of 2009, analysts at abuse.ch were shocked to find telltale signs that the KOS command was issued by one of the ZeuS command and control servers, effectively “Blue-screening” over 100,000 computers.
There’s precious little information available as to what this means. Still if the theory holds true, at least 100,000 employees of businesses and financial institutions weren’t able to do their job.
Experts wonder why
It’s very clear that security experts are perplexed as to why this was done. One possible explanation is offered by Jozsef Gegeny of S21sec:
“To disappear and hide all tracks, making further analysis harder?”
Or possibly:
“The point more probably for a phisher is to earn time. Taking the victim away from Internet connection - before the unwanted money transfer is realized and further actions could be taken.”
Roman Hüssy a security expert at abuse.ch who has been instrumental in researching the ZeuS botnet mentioned his thoughts to Brian Krebs in a Washington Post article:
“Maybe the botnet was hijacked by another crime group. Then again, maybe the individuals in control over that ill-fated botnet simply didn’t understand what they were doing. “Many cyber criminals…using the Zeus crimeware kit aren’t very skilled.”
It’s early in the discovery process; hopefully some real insight will eventually surface.
Final thoughts
As I mentioned in the beginning, security experts seemed to downplay the possibility of this happening, pointing out that botmasters work hard to develop their botnets. Why turn around and destroy them? Ironically, that still seems logical. All the same, if the 100,000 users of the victimized computers and the IT personnel that had to recover them were asked, I suspect they’d have a whole different opinion.
Michael Kassner has been involved with with IT for over 30 years. Currently a systems administrator for an international corporation and security consultant with MKassner Net. Twitter at MPKassner. Read his full bio and profile.
Print/View all posts Comments on this blog
Self-destructing botnets Michael Kassner | 05/25/09 |
I had was not aware of that, but it does not suprise me at all Michael Jay | 05/25/09 |
It depends Michael Kassner | 05/25/09 |
The more I read Michael Jay | 05/25/09 |
You two santeewelding@... | 05/25/09 |
I was counting on you or someone like you Michael Jay | 05/25/09 |
The meek santeewelding@... | 05/25/09 |
Classic example... NEW jemorris@... | 05/26/09 |
I'm relieved Jacky Howe | 05/25/09 |
Hmmmm ......... NEW Dusterman | 05/26/09 |
Thanks, Mike NEW Michael Kassner | 05/26/09 |
Interesting... NEW JCitizen | 05/26/09 |
OK ....then NEW Dusterman | 05/26/09 |
Malware Tools NEW MichaelSawyer1969@... | 05/26/09 |
yes NEW Dusterman | 05/26/09 |
I like doing things like this... NEW JCitizen | 05/26/09 |
You can NEW Michael Kassner | 05/26/09 |
Another possibility NEW Michael Kassner | 05/26/09 |
Live CD ........ yes ......... NEW Dusterman | 05/26/09 |
Another option NEW Michael Kassner | 05/26/09 |
A breached machine can't be trusted NEW Neon Samurai | 05/26/09 |
Come to think of it... NEW JCitizen | 05/26/09 |
Ah ........yes ......the trust issue ......... NEW Dusterman | 05/26/09 |
Secunia PSI goes a long way too..(nt) NEW JCitizen | 05/26/09 |
It is a good program NEW Michael Kassner | 05/26/09 |
Lets hope that Jacky Howe | 05/25/09 |
Thanks and can you imagine Michael Kassner | 05/25/09 |
Michael santeewelding@... | 05/25/09 |
Whew Jacky Howe | 05/25/09 |
executable NEW pgit | 05/26/09 |
Fighting fire with fire... NEW JCitizen | 05/26/09 |
I agree NEW Michael Kassner | 05/26/09 |
Okay, I'll bite... NEW JCitizen | 05/26/09 |
I agree NEW Michael Kassner | 05/26/09 |
Comodo has good solutions NEW MichaelSawyer1969@... | 05/26/09 |
Especially for home users.... NEW JCitizen | 05/26/09 |
I haven't had NEW Michael Kassner | 05/26/09 |
It's possible NEW Michael Kassner | 05/26/09 |
ZeuS has a EULA NEW Michael Kassner | 05/26/09 |
stunning NEW pgit | 05/26/09 |
It's a business NEW Michael Kassner | 05/26/09 |
HA! Business is busniness... NEW JCitizen | 05/26/09 |
Wow.. it shouldn't be a surprise.. but wow.. NEW Neon Samurai | 05/26/09 |
Just lucky NEW Michael Kassner | 05/26/09 |
Latest ZeuS botnet Domains NEW Michael Kassner | 05/26/09 |
Cyberwarfare NEW manwe@... | 05/26/09 |
Good questions NEW Michael Kassner | 05/26/09 |
Cyberwarfare NEW MichaelSawyer1969@... | 05/26/09 |
It seems NEW Michael Kassner | 05/26/09 |
Excellent illustrations... NEW JCitizen | 05/26/09 |
I appreciate it, J NEW Michael Kassner | 05/26/09 |
As usual Michael NEW #foolish | 05/26/09 |
That's why NEW Michael Kassner | 05/26/09 |