ZeusTracker and the Nuclear Option

One of the scarier realities about malicious software is that these programs leave ultimate control over victim machines in the hands of the attacker, who could simply decide to order all of the infected machines to self-destruct. Most security experts will tell you that while this so-called "nuclear option" is an available feature in some malware, it is hardly ever used. Disabling infected systems is counterproductive for attackers, who generally focus on hoovering as much personal and financial data as they can from the PCs they control.

But try telling that to Roman Hüssy, a 21-year-old Swiss information technology expert, who last month witnessed a collection of more than 100,000 hacked Microsoft Windows systems tearing themselves apart at the command of their cyber criminal overlords.

Hüssy oversees Zeustracker, a Web site listing Internet servers that use Zeus, a kit sold for about $700 on shadowy cyber criminal forums to harvest data from computers infected with a password stealing Trojan horse program. One of Zeus's distinguishing features is a tool that helps each installation on a victim PC look radically different from the next as a means to evade detection by anti-virus tools.

According to Hüssy, among Zeus's many features is the "kos" option, which stands for "kill operating system." The help file distributed with Zeus kits includes the following Google-translated explanation of this feature:

kos - incapacitate OS, namely grip branches HKEY_CURRENT_USER registry and / or HKEY_LOCAL_MACHINE. If you have sufficient privileges - fly to "blue screen", in other cases creates the brakes. Following these steps, loading OS will not be possible!

In early April, Hüssy began tracking a Zeus control server used to receive data stolen from a botnet of more than 100,000 infected systems, mostly located in Poland and Spain. While investigating this newfound Zeus control server, he noticed something unusual: the "kill operating system" had just been issued to all 100,000 infected systems.

Hüssy said he has no idea why the botnet was destroyed.

"Maybe the botnet was hijacked by another crime group," he offered in an online chat with Security Fix. Then again, maybe the individuals in control over that ill-fated botnet simply didn't understand what they were doing. "Many cyber criminals...using the Zeus crimeware kit aren't very skilled," Hüssy said.

Researchers at the S21sec blog have their own theory: that maybe attackers wield the nuclear option to buy themselves more time to use the stolen data.

"The point more probably for a phisher is to earn time," writes S21's Jozef Gegeny. "Taking the victim away from Internet connection - before the unwanted money transfer is realized and further actions could be taken."

As one might imagine, bad guys who control these Zeus crimeware servers aren't always too happy about having their networks called out. Since my interview with Hüssy on Wednesday, his site has come under a fairly massive distributed denial of service (DDoS) attack, no doubt from systems under the control of Zeus botmasters.

This is hardly the first time Hüssy has been targeted. His site at abuse.ch was similarly attacked last summer. Then, early one morning in August 2008, local police roused him from slumber to check on his whereabouts. Turns out, cyber crooks had been circulating a fake suicide note sent in his name to hundreds of thousands of Swiss residents.

Zeustracker divides the sites used to control infected systems into several camps: Those apparently hosted at so-called "bulletproof hosting" services that specialize in remaining online despite significant pressure from law enforcement and foreign governments; those hosted on free Web hosting services, and those hosted on apparently legitimate but otherwise compromised Web servers.

One of hacked servers -- johnnybees.com -- was added to Zeustracker on Feb. 13, 2009. The site belongs to John Natoli, a graphic Web designer from central New Jersey. Natoli said he had been working with his hosting provider to resolve the problem, which he said he first noticed about a month ago when odd files began showing up on his server.

Natoli said he didn't know what the files were or where they were coming from, until being contacted by Security Fix. What he couldn't have known is that Zeus encrypts both the data stolen from infected systems and the configuration files left on servers that tell Zeus-infected systems which bank Web sites the attackers are trying to steal credentials for each day. In either case, the files would appear to anyone without the encryption key to be gibberish-filled files.

"I was continually deleting these suspicious files off my servers. It got kind of out of control," Natoli said, noting that he thinks the problem has been resolved, as he hasn't seen any new files in several weeks. "My hosting company provided me with some scripts that were supposed to clean things up."

Currently, about one-third of the sites listed at Zeustracker are hacked or free Web services. Imagine the good that the affected ISPs and hosting providers could do by working with customers to clean up these hosts.

If you've read this far, please join us tomorrow at 11 a.m. for Security Fix Live, where I endeavor to answer your personal technology questions and offer tailored suggestions for protecting yourself from online security threats. Can't join us then? No problem: drop me a question in advance.