SpyEye Botnet Nets Fraudster $3.2M In Six Months 99
wiredmikey writes "The SpyEye Trojan has a well-earned place of respect in the cyber-underground as an adaptable and effective piece of malware. Those same traits have also made it a bane for countless victims and the security community, and new research provides yet another reminder of why. According to security researchers, a hacker in his early 20s known by the alias 'Soldier' led a bank fraud operation that netted $3.2 million in six months. Powered by the SpyEye crimeware kit and aided by money mules and an accomplice believed to reside in Hollywood, Soldier commanded a botnet of more than 25,000 computers between April 19 and June 29 that compromised bank accounts and made off with the profits. Most of the victims were in the U.S., but there were a handful of victims in 90 other countries as well. Among the affected organizations were banks, educational facilities and government agencies."
the biggest problem here, personal responsibility (Score:2, Insightful)
Is that the victims were generally NOT the people who allowed botnets to run on their computers. Because if they had been, maybe that would have been just punishment for harming the common good by allowing malware.
This is 2011. Personal computing has existed for, depending on just how you measure, about 35 years. I've been using them that whole time, and have NEVER, not once, had any form of malware. It just isn't that hard, and people have had 35 *years* to learn to not run shit. It's time we start ho
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
So you don't remember all the email virus that spread years ago simply by opening them because they were exploiting flaws in system software?
Yep, it was years ago. On that note UNIX and Linux used to have lots of worms that spread remotely too, and there's still lots of bugs and sometimes even remote exploits. Firefox and Chrome patch hundreds of bugs per year.
If software vendors were being held responsible for every bug that might have slipped through, what you think would happen? Open source contributors would stop contributing software, because they would risk losing their personal money in the process. On the other hand, Microsoft has the
Re: (Score:1)
I should have made it more clear in my first post that I was being sarcastic to the OP. The AC claiming that we should go after the people who are installing malware and to go after them. Like you stating that not every little bug can be perceived, nor can every computer user realize what they are installing is NOT malware, which the AC claims they should know what they are installing. Then I was sarcastically stating then why not go one step further and go after the p
Re: (Score:1)
Re: (Score:1)
A better analogy would be someone using their car in a reasonable manner but crashing into the crowd because someone cut their brake lines.
What? You don't manually check your brake lines every time you drive? You don't even know where to look? But that's YOUR RESPONSIBILITY!
Do you count your knives each night to know no one has stolen them to stab someone?
Personal responsibility means taking reasonable steps to make sure you don't harm others. It doesn't mean becoming an expert in every single aspect of tec
Re: (Score:2, Interesting)
"Personal responsibility means taking reasonable steps to make sure you don't harm others"
Yes, and people DON'T DO THAT. I've seen people get spyware, right in front of my eyes. They absolutely do not take reasonable steps to avoid so doing. They'll cheerfully run ANYTHING. That is not a reasonable behavior, on what is fundamentally a Turing machine.
So yes, let's hold them responsible when they don't take reasonable steps towards safe computing.
Re: (Score:2)
Re:the biggest problem here, personal responsibili (Score:4, Interesting)
But the brakes in a car generally don't fail because someone put the wrong CD in or tuned to the wrong radio station.
Re: (Score:3)
"A better analogy would be someone using their car in a reasonable manner but crashing into the crowd because someone cut their brake lines."
But running malware and trojans is not "using a computer in a reasonable manner".
A better analogy would be someone deciding to drive over metal spikes and then crashing into the crowd because their tires are shredded. Duh...
Re: (Score:2)
A better analogy would be someone deciding to drive over metal spikes and then crashing into the crowd because their tires are shredded. Duh...
The phrase "a better analogy" in English does not mean "a compltely fucking retarded compairon".
Re: (Score:1)
A better analogy is leaving your car running while you dash into the store. Which IS against the law in many places. Someone might hijack it and commit a crime. Now, I haven't looked, I don't think you'd be liable for that crime, but if they hit someone else with that car, your insurance is at the least going to drop your ass like the irresponsible assbag that you are.
Re:the biggest problem here, personal responsibili (Score:5, Insightful)
In a world where picture frames come preinstalled with malware, in a world where simply visiting the wrong website can infect you if Flash has an unpatched vulnerability, that's too simplistic.
I blame people for running Trojans, I blame people for not doing updates (but come on, what other industry would tolerate having a recall on the second Tuesday of every month), but this is still a world in which drive-by downloads are possible. I run Noscript, of course, but don't expect anyone else to live with the problems it causes.
Re: (Score:2)
It's quite true. I can't blame users for shitty fucking plugins like Flash. They want to view online content, so are essentially forced to become part of an insecure ecosystem.
Re: (Score:1)
I can blame the webmasters that insist on using flash and mandatory javascript (etc) even when it is unnecessary, ad peddlers that don't give two sh*ts about what goes throughout their network if the price is right, sites using a CMS for static content, that bet abandoned at some point, with the CMS getting taken over and serving exploit kit iframes for the next decade... etc... The issue at hand is that the current situation is caused by all involved parties not taking any responsibility whatsoever, it's n
Re: (Score:3)
I can blame the webmasters that insist on using flash and mandatory javascript (etc) even when it is unnecessary, ad peddlers that don't give two sh*ts about what goes throughout their network if the price is right, sites using a CMS for static content, that bet abandoned at some point, with the CMS getting taken over and serving exploit kit iframes for the next decade... etc... The issue at hand is that the current situation is caused by all involved parties not taking any responsibility whatsoever, it's neither the user, nor the companies, nor the websites, it's all of them.
+1 truth
I'm sick and tired of people who defend the unnecessary use of things like javascript by putting all of the blame for the accompanying reduction in security on the user.
The car analogy is that it is like demanding that people not wear seat-belts and when they get hurt in a wreck then blaming them for not having the latest air-bag system.
Re: (Score:2)
Are you saying that Flash should be limited to Linux, BSD, OpenSolaris, and other operating systems with minimal protections? Better tell Adobe, because they always release new versions of Flash first for Windows. Does that imply Adobe is also complicit with the botmasters?
Patch Tuesday seems counterproductive (Score:2)
what other industry would tolerate having a recall on the second Tuesday of every month
Personally, I think we'd be safer if Microsoft didn't create Patch Tuesdays, and actually released patches as soon as they have fixes, instead. It seems that Patch Tuesday in practice just exists to reduce how often Microsoft is seen to release patches. There's a claim that we need a certain date in the month for all sysadmins to know to look for updates, but that's silly. Sysadmins should always be checking for vulnerabilities, and if they really can't be bothered to do it more than once a month they can s
Re: (Score:3)
Yes, the botnet operators also are responsible, but that doesn't mean the owners of the compromised systems are NOT. They are as well.
Sorry, but no. You may have 35 years under your belt, but my 80+ year old Mom doesn't, and the vast majority of mere users out there are a lot like her. When even highly educated users like doctors and lawyers are stupid around computers, how can you expect my Mom to do any better?
Case in point: she's on a Mac using Safari, and it drives her up the wall when the history pane doesn't show her favourite sites. I've told her that's not how it's supposed to be used and to use bookmarks instead. She wants to
Re: (Score:2, Insightful)
If your mom or your friend cannot operate a computer without getting it infected with malware and trojans, they are not qualified to be operating a computer and should not be doing it. Furthermore, if they choose to do it despite their incompetence, they should be held liable for whatever damages their use does to others.
Re: (Score:2)
If your mom or your friend cannot operate a computer without getting it infected with malware and trojans, they are not qualified to be operating a computer and should not be doing it. Furthermore, if they choose to do it despite their incompetence, they should be held liable for whatever damages their use does to others.
Yes, because only people with Computer Science PhDs should be allowed to use computers, and ideally all computers would be giant mainframesi n universities or large corporations. All this giving computer and internet access to the masses is just plain wrong..
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
"Is that the victims were generally NOT the people who allowed botnets to run on their computers."
Of course. There is no evolutionary pressure in the ecosystem to detoxify exploited computers. Bubba and Laqueefa don't give a fuck about internet security and WHY SHOULD THEY when there are negligible negative consequences?
I don't advocate any nonsense like government regulation to (not!) solve the problem.
It would be better done with destructive malware that disconnects infected PCs from the internet and does
Re: (Score:2)
and there is no way to solve this problem without causing collateral damage.
Fuck me, it's Mr Internet Tough Guy on the rampage with military jargon off a cornflakes packet.
Re: (Score:1)
Is that the victims were generally NOT the people who allowed botnets to run on their computers. Because if they had been, maybe that would have been just punishment for harming the common good by allowing malware.
This is 2011. Personal computing has existed for, depending on just how you measure, about 35 years. I've been using them that whole time, and have NEVER, not once, had any form of malware. It just isn't that hard, and people have had 35 *years* to learn to not run shit. It's time we start holding people responsible for the results. In this case, the owners of those 25,000 compromised machines should be responsible for the 3.2 million that was lost. It should be their responsibility to pay it back.
If people drive carelessly and crash into a crowd of people, we hold them responsible. If an engineer designing a bridge is careless and the bridge falls down as a result, we hold them responsible. It's high time we start holding people responsible here as well. If you can't act responsibly, then you don't get to be on the public internet with everyone else, just like if you can't drive responsibly we eventually take away your license. You are still free to drive on your own private land, just like you're still free to use your computer on your own private network, but you don't get to use it where the rest of us are trying to be responsible citizens of the online community.
35 *years*. Time to fucking stop running malware. Yes, the botnet operators also are responsible, but that doesn't mean the owners of the compromised systems are NOT. They are as well.
BS. The bad guys are a lot smarter than you think they are. Exploit kits, iframes, obfuscated javascript, etc... they're EVERYWHERE now. Quit blaming the victim already.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
I agree with you, same as a car, you would not just start driving one because you can afford to buy one, you have to take courses and also pass tests.
Computers in society seem to common place and without accountability. A pilot has to be registered to fly a plane and go through screening....why can not the ISPs enforce such things as well.
This is where the problem lies, it is more so the ISPs responsibility also to know when an infected computer is within ITS network, and block it off indefinitely until the
Re: (Score:1)
Re: (Score:2)
Your Bank Account is Locked (Score:2)
Click here to unlock your account [notification.zip].
I know it's a crime and all, but should we feel sorry for people who get scammed because they're just that gullible? I know plenty of people who are.
And... when are we going to "fix" the email system to prevent this? It's the same system that was designed when there were 1,000 computers on ARPANET.
Re: (Score:1)
Re: (Score:2)
You're thinking inside the box. By "fixing" I mean removing the ability to send a message from one machine to another without authenticating the source. There's absolutely no security in SMTP and POP. That's what allows spam to be sent with your return address, or a nonexistent return address. Email was developed in the days where the Internet was the domain of the scientific, educational and government communities, without regard to security, and we're still using the same system.
It might be as simple as a
Re: (Score:2)
Authentication: Hijacked machines - or even normal machines - shouldn't have authority to send email from some random claimed domain or plain IP address. There have been some good attempts to solve these issues (SPF records, Sender ID, DomainKeys/DKIM, FCrDNS (forward-confirmed reverse DNS)), but there aren't enough universal safeguards to make them work. Since this is a huge hole for criminals to exploit, we as an IT management community need to tighten that up. That includes testing each message for compl
Re: (Score:2)
You're thinking inside the box. By "fixing" I mean removing the ability to send a message from one machine to another without authenticating the source. There's absolutely no security in SMTP and POP. That's what allows spam to be sent with your return address, or a nonexistent return address. Email was developed in the days where the Internet was the domain of the scientific, educational and government communities, without regard to security, and we're still using the same system.
Personally, I blame the antiquated UNIX.software responsible for most of the internet's infrastructure. The sooner everyone's running iOS on both server and client machines, the safer we'll all be.
Re: (Score:2)
The problem always is that you have a goal of a mail system where anyone can theoretically send email to anyone, and there are huge advantages to such a system (which is why it has become of the prevalent modes of long-distance communications on the planet). A new protocol is going to have to deal with the same problem and ultimately the solutions will simply be variants on the current solutions, and what's more will have an enormous hill to climb to replace SMTP.
Re: (Score:2)
No, it's not, and that's a big part of the problem. You used to only be able to send *text* though email. I can still remember when the idea of "e-mail viruses" was ludricrous--what, were you going to send them source code they'd have to compile and run themselves? Yes, there was uuencode, but that was about as cumbersome as sending source code and it was rarely u
Re: (Score:2)
Yes, there was uuencode, but that was about as cumbersome as sending source code and it was rarely used in email anyways.
For fairly large values of "rare", as I recall it. Using uuencode, possibly splitting a tar across several messages (to avoid filters), was common in the 80's because it was much less hassle than setting up an ftp site and sending login details for a one-time exchange. Also, the standard response to spam in the 80's (yes, it actually existed) was to send a few MB of core dump or other random binary in response, because the cretins usually used their own email addresses. That all changed in the 90's, and no
Re: (Score:3)
It's the same system that was designed when there were 1,000 computers on ARPANET.
Sometime after that, Netscape decided that HTML would make mail look pretty. The rest is history.
I remember being on some mailing list when this started. The admins put instructions to disable HTML in the FAQ, and admonished posters who had it enabled. Alas, the windmills won.
Re: (Score:2)
Playin' the game. (Score:1)
Capitalism. Gotta love it. Of course, this particular guy is frowned upon because he isn't a megacorporation doing it on much larger scales.
Re: (Score:2)
Don't worry, nobody is going to be invading Somalia any time soon. We're leaving it allllll to you, for you and your own personal enjoyment.
Re: (Score:2)
Capitalism is merely private ownership of the means of production, operated for profit. It does not in any way countenance fraud. But Marxists do
Yes, it's perfectly obvious that all those guys at Enron and Lehman Brothers were actually Marxists
In fact, the Communists now contol everything, so they have already won, and the Western world is nothing more than a giant Stalinist gulag, where the so-called proletariat are in fact the prison camp guards safe with their free medical care and unemployment benefits, and the squirming, hard-working inmates are all the poor billionairres who are forced AT GUNPOINT to pay several thousand dollars tax a yea
Re: (Score:2)
Where was the money sent? (Score:1)
But how to make money?? (Score:1)
Re: (Score:2)
Setup a merchant, possibly in another country, and use those cards on that merchant.
If you've got those details, transfer via western union, their bank, or similar.
Beyond that, this does sound like a high number. Though, given how much banking is done online now, if the botnet is setup to sniff their login and password for their bank website, they can use this and the banks website to move whatever money they want.
Obviously... (Score:2)
A lot of us are in the wrong business. The world is full of stupid people, and we could simply tell them to hand us money hand over fist.
Re: (Score:2)
I suggest you don't go to any country where haggling is the norm, and *not* haggling is considered an insult.
Re: (Score:2)
I suggest you don't go to any country where haggling is the norm, and *not* haggling is considered an insult.
Oh come on, if you go to a country that traditionally haggles, and just pay them what they ask, they're not going to refuse your money, and they're not going to be insulted that the stupid rich foreigner paid three times what something was worth. .
Re: (Score:2)
A lot of us are in the wrong business. The world is full of stupid people, and we could simply tell them to hand us money hand over fist.
If you see nothing morally objectionable in being a con man, go ahead.
Your math appears to be off.... (Score:1)
A handful of victims in 90 countries? What were they victims of, dismemberment?
Fraudster (Score:2)
Re: (Score:2)
Did anyone else read "Fraudster" and thought it was a new social network?
I've signed up, it was only a hundred quid for a lifetime's subscription!
I expect my membership book and badge any time now.
Re: (Score:1)
If it wasn't for the ubiquitous nature of Windows these guys would be making their malware of other OS.
And they would fail on all other systems, anyway. Other systems have bugs. Windows is insecure, and this insecurity is unfixable by design.
Re: (Score:2)
Other systems have users, which makes them just as vulnerable. A program only needs to be running in userspace to host a website on a weird port, send millions of emails, or intercept what the user is doing and send screenshots to Nigeria.
Quit with the stupid fallacy.
Re: (Score:1)
A program running as user, does not survive rebuilding the user's directory. And with proper security (such as apparmor) it is confined to its own (not even user's) files.
On Windows, compromise anything and you have compromised everything -- privilege escalation is a given.
Re: (Score:1)
On a desktop /home is more important than /bin. This is exactly what Linux cheerleaders don't get. They are thinking at the kernel level. X.org crashed ? Who cares ! As long as I can execute uptime and get a good number, the rest is irrelevant.
Home directory can be safely backed up and restored in minutes, and should not contain anything executable in the first place -- it should be mounted with noexec option unless the user is interested in development. While out of the box Ubuntu won't do that for you, it's easily doable.
The whole system can not have an easy recovery procedure or simple workaround against executable content -- once there is a suspicion that anything is modified, you have to have known clean system, and your backup has to bring
Re: (Score:1)
How is it misplaced? Take an educated guess at the number of apps on the windows platform. For e.g. qwindows 7 32bit can run 16bit apps from DOS, Win 3.1 era Count all of them and given the number of distro volunteers they wont ever have time to create rules for even 10% of the apps. My point is you would require several orders of magnitudes of competent staff to maintain a repo on the scale of windows applications.
Repository maintenance != Your warez collection.
If you really care, DOS applications run on Linux just fine (and are sandboxed), however this has nothing to do with distribution maintainers keeping track of applications and their configuration -- including security settings. Indeed, that would be unthinkable in Windows world, when no one knows what exactly does he run and where does it come from.
False. If printer supports postscript, pcl, and other common printer tech you can use a generic driver for that. You will not get access to advanced featuress of the printer though, but that is obvious.
Except, of course, there is no infrastructure to reuse printer filters independently from port type, so those are
Re: (Score:1)
Well one way is to see the frequency with which the kernel binary is patched. A ton of malware is created after a OS patch is pushed (since most people run unpatched versions of windows anyway) . You can easily diff the patched binary and understand the code that was patched and create a working exploit.
No one does it on Windows -- there are plenty of low-hanging fruits, thanks for lack of secure design even when kernel works exactly as intended.
What I meant was if you do a total bug count of a fresh Windows install with a fresh Linux install, the linux install will have a higher bug count because of all the 3rd party crap that comes with it.
And most of that is not a security threat. In Windows, things like denial of service or potentially exploitable problems don't even show up on the radar. On Linux every instance of buffer overflow is automatically marked as "potentially executes arbitrary code" and is instantly fixed without questions. Following your logic, the most secure version of Windows is Win
Re: (Score:2)
I was going to reply, but the AC nailed it already. Users don't give a crap whether "Calculator.exe" gets infected with a virus. They do give a crap when "Jimmy at the beach.jpg" gets infected. Who cares about the system, the user's files are the irreplaceable data! Linux people constantly talk about how you can just blow away the user's home folder to sort out virus issues on Linux. Guess what, blowing away "My Pictures" is a ten million times harder sell to a user than blowing away "System" - and to
Re: (Score:2)
If it wasn't for the ubiquitous nature of Windows these guys would be making their malware of other OS.
And they would fail on all other systems, anyway. Other systems have bugs. Windows is insecure, and this insecurity is unfixable by design.
Nothing is perfectly secure in a world where there are clever criminals and ordinary users
All the social engineering tricks to get information are independent of what fucking OS you're using.