Botnets: They do have the option to self-destruct

Self-destruct code is often written into bot malware. Up until recently that wasn’t considered an issue. So, what changed and what does it mean to us?

——————————————————————————————————————-

I first learned about the use of self-destruct code in 2007 when I read an ITU report, Zombie Botnet Mitigation Project: Background and Approach. The report mentioned how certain bot malcode was programmed to destroy all resident data files if there was an attempt to remove the malware. Man, that’s harsh.

All-purpose kill switch

Wanting to know more, I began researching the how and why of kill switch software. One thing became very apparent. Self-destruct mechanisms can be used for more than just expunging data. In fact, botmasters have almost god-like authority over compromised computers. It appears that the worst case scenario would be when an instruction from the bot’s command and control server activates a process that completely destroys the operating system. Losing data doesn’t seem so bad all of a sudden.

When are kill switches used

Whether a kill switch is used or not, appears to be up to the whim of the botcode developer. I did find one exception though. It seems that a self-destruct mechanism is always part of malware targeting financial institutions. InfoStealer, ZeuS, and Nethell are three such examples.

ZeuS in particular

The ZeuS bot malware is of special interest, having successfully created at least one botnet containing over 100,000 members. The following slide, courtesy of Prevx, shows the world-wide distribution of the botnet:

As I mentioned earlier the ZeuS botnet is entirely focused on gaining access to financial information. The security product developer Prevx describes ZeuS as:

“Information stealing software aimed at the ever-growing market for financial information stolen from banks, ecommerce web sites and personal computers.”

ZeuS is also unique in that it’s for sale. This allows anyone, even those with less than stellar programming skills to create sophisticated botnets. Prevx explains further:

“The DIY “exe builder” for the Zeus Trojan can be bought online for just $4,000. Each Zeus Trojan build incorporates a kernel level rootkit, which means it can hide from even the most advanced security software.

There seems to be some confusion as to the cost of the ZeuS package. I’ve seen the price range from as low as $700 to the $4000 mentioned by Prevx.

Self-destruct option

If you remember, I mentioned that ZeuS is one of those special cases of bot malware that has a self-destruct option built into the software. Reverse engineering the code wasn’t even necessary to determine that; the help file supplied with ZeuS was kind enough to explain the self-destruct command (courtesy of abuse.ch):

KOS: incapacitate OS, namely grip branches HKEY_CURRENT_USER registry and/or HKEY_LOCAL_MACHINE. If you have sufficient privileges - fly to “blue screen”, in other cases creates the brakes. Following these steps, loading OS will not be possible!

The translation to English may not be perfect, but it’s obvious that the self-destruct sequence (Kill Operating System) in ZeuS is not the kind that just destroys data files. In this case it appears that initiating the KOS command results in the botnet’s computers going into a “blue screen of death” condition, preventing the operating system from booting.

KOS command issued

I’m afraid to say that all this discussion about the ZeuS malware and its self-destruct option wasn’t just a what-if exercise. In early April of 2009, analysts at abuse.ch were shocked to find telltale signs that the KOS command was issued by one of the ZeuS command and control servers, effectively “Blue-screening” over 100,000 computers.

There’s precious little information available as to what this means. Still if the theory holds true, at least 100,000 employees of businesses and financial institutions weren’t able to do their job.

Experts wonder why

It’s very clear that security experts are perplexed as to why this was done. One possible explanation is offered by Jozsef Gegeny of S21sec:

“To disappear and hide all tracks, making further analysis harder?”

Or possibly:

“The point more probably for a phisher is to earn time. Taking the victim away from Internet connection - before the unwanted money transfer is realized and further actions could be taken.”

Roman Hüssy a security expert at abuse.ch who has been instrumental in researching the ZeuS botnet mentioned his thoughts to Brian Krebs in a Washington Post article:

“Maybe the botnet was hijacked by another crime group. Then again, maybe the individuals in control over that ill-fated botnet simply didn’t understand what they were doing. “Many cyber criminals…using the Zeus crimeware kit aren’t very skilled.”

It’s early in the discovery process; hopefully some real insight will eventually surface.

Final thoughts

As I mentioned in the beginning, security experts seemed to downplay the possibility of this happening, pointing out that botmasters work hard to develop their botnets. Why turn around and destroy them? Ironically, that still seems logical. All the same, if the 100,000 users of the victimized computers and the IT personnel that had to recover them were asked, I suspect they’d have a whole different opinion.