Cybercrooks set up fake interfaces on their botnets
November 5, 2010
Some Internet hackers and cybercriminals are setting up fake interfaces on their botnets so as to confuse and send security authorities on a wild goose chase. And the tactic seems to be working, at least for now.
The fake honeypot scenario was brought into light by a group using a variant of the now infamous Zeus crimeware toolkit. The unknown criminals targeted quarterly federal taxpayers with fake emails that sought to trick prospective marks into visiting a website loaded with exploits on the pretext that there had been a problem with their tax returns.
If successful, the attack would have resulted in the infection of personal computers with variants of ZeuS primarily designed to capture and extract bank login details.
In between waiting for the drop of confidential IDs from compromised computers, the evil attackers set up a trap for security researchers. A bogus administrative panel hands out counterfeit statistics on the number of ZeuS-infected machines, as well as the ability to upload new bot malware, a feature designed to throw off security researchers or rival botnet operators in a tail spin.
"This admin interface acts as a 'hacker honeypot' that records detailed information about who attempted to access the admin console, as well as who attempted to hack into it," the post explains.
The deployment of the fake honeypot tactic in ZeuS-related malware operations is unlikely to be coincidental. The discovery of genuine ZeuS interfaces over recent months has been a major source of raw intelligence for security researchers.
Although we can't say for sure at this point it's even possible that this data led to the recent run of arrests of ZeuS crimeware suspects in the U.K., the U.S. and the Ukraine.
The phoney admin login accepts default or easily guessed login credentials. Just for good measure, the interface is also vulnerable to a simple SQL-injection vulnerability as well.
It seems the miscreants have thought about everything when they made that one.
Cybercrooks who use ZeuS as the weapon of choice for sniffing online banking credentials would doubtless be interested in frustrating this kind of researcher through the use of decoys. Viewed from this perspective, spying on what their opponents are up to would be a bonus for cybercrooks.
Additionally, since ZeuS is highly customizable in adding the additional honeypot hooks would have been no great chore.
You can link to the Internet Security web site as much as you like.