Loud failures in the fight against virus writers

    image

    Recently, it has become quite fashionable for companies involved in digital security to report successful botnet closures and the seizure of their owners. So, they closed Bredolab - and only the lazy did not write about it.

    The purpose of this article is to show that not everything is so smooth in the Danish kingdom.

    The author does not pretend to be exhaustive information, but in any case it is useful to know about the failures of the antivirus industry.


    1. Conficker (also known as Downup, Downadup and Kido). One of the most dangerous computer worms. First appeared on November 21, 2008. Due to exploitation of a number of vulnerabilities, the worm as of January 2009 infected 12 million systems. At the moment, about 5 million systems are infected, however, no activity is recorded that indicates the activation of this botnet, however it exists.
    Despite Microsoft's $ 250,000 prize promise to capture the authors of the worm and botnet owners on February 12, 2009, they are still free.

    2. Trojans of the Zeus family (ZBot) appeared in 2007. Thanks to its ease of configuration and ease of use for stealing web data, ZeuS has become one of the most widely distributed and best-selling spyware on the black Internet market, and the Zeus botnet is the No. 1 in the world, with more than 3.6 million in the United States alone . The author of the Trojan, known as “Slavik” or “Monstr” at hacker forums, actively sold his brainchild until the middle or end of 2010, after which he announced the termination of activity. The proceeds from the Trojan’s sales alone are estimated to be seven-digit (in dollars, of course), not to mention the carder and confidential components.

    Discussion ZeuS has become the signature chip of any self-respecting digital security company.a special tracker for tracking the botnet’s activity, however, Slavik is still at large.

    3. SpyEye, how much in this word ... The Trojan appeared in late 2009 - early 2010 and immediately began to oppose Zeus. The author of the Trojan, known in the forums as “Gribodemon” or “Harderman”, actively promoted its product, once even equipping it with Zeus Killer, a functional designed to eliminate a competitor on zombie systems.
    As soon as the author of Zeus decided to retire, he handed over (sold?) The source code to Gribodemon, with the condition of supporting existing "users". At the moment, it is no longer a secret that the new versions of SpyEye have many functions of their successor.
    It’s not so difficult to find “Mushroom Demon” - as by the activity of its botnetand hacker forums. His suggestions are still active.

    4. TDL / TDSS (Alureon, TidServ). One of the most technological rootkits at the moment. TDL4 is the first and one of the few rootkits for the x64 platform. New mechanisms are constantly being used, new 0-day class vulnerabilities that allow circumventing existing anti-virus systems. Separate code fragments, behavior and phrases in the configuration file allow us to make the assumption that the authors are also natives of the once One and Mighty.
    The TidServ botnet is the third largest in the world , but the information is quite outdated, and the new antivirus corporations are in no hurry to share.

    5. In July 2010, Slovenian police arrested three students on suspicion of creating Mariposa / Palevo. Earlier, in the spring of the same year, three operators of the same botnet were arrested in Spain . It is believed that this botnet is “decapitated”, “eliminated”, “inactive”, there was a lot of laughter when the students under investigation tried to find work in security companies, but there is always a “but”! At the moment, all new versions of Kolab / Palevo are being created and discovered. Yes, and the appearance of new C&C every day somehow does not reassure ... In addition, it is worth noting the special professionalism of writing the code for this worm, which would be possible for students - but talented students. Has the botnet fallen? Hmm ...

    6. December 2010 ... Together with the employees of Department “K” of the Ministry of Internal Affairs of the Russian Federation and foreign colleagues involved in IT security, a huge botnet was discovered, which has about 600,000 systems around the world. C&C botnets were located mainly on Russian servers. It was also possible to establish the owner of the botnet, it turned out to be someone under the nickname “crazyese”. It is known that crazyese is involved in DDoS attacks on government websites of different countries, nothing else is known. After the botnet was discovered, intelligence agencies from different countries became interested in the owner of this network.
    On February 9, 2011, the ICQ number (609684624) of the same “crazyese” got on the network, one of its competitors published the number on the network. Nevertheless, the owner of the room does not hide this, continuing to openly offer his services .

    The list goes on, but what's the point? Let us stop at the ominous figure 6. It is much more interesting to find out the answer to the question: why, with all the might of the antivirus industry, for all the splendor and multiplicity of quick response groups to attacks and threats, all the described cases take place - and most importantly, still exist? There can be many answers, it is possible that some of them are close to the truth ...

    Also popular now: