Cyber-criminals launched distributed denial-of-service attacks against the Swiss site abuse.ch, which identifies malicious domains and botnet command and control servers.
A white hat
Website that identifies malicious domains is under attack by criminals using
Zeus and SpyEye toolkits.
Cyber-criminals
using the SpyEye and Zeus rootkits are conducting a DDoS (distributed denial-of-service) attack against a Swiss "white hat" Website, abuse.ch, according to
researchers at RSA's
FraudAction Research Lab. The Swiss site has been identifying rogue Internet
service providers and malicious domains hosting banking Trojans and in November
launched its SpyEye Tracker,
which tracks malicious SpyEye (C&C) command and control services.
The attackers
are using new plug-ins developed for the latest variants of the SpyEye Trojan,
RSA said. The plug-ins' primary focus is DDoS attacks against legitimate Websites.
SpyEye
botmasters are "battling" the site that "threatens the very existence and
effectiveness" of their botnets, the researchers wrote on March 9.
The DDoS plug-in
currently offers three types of attack mechanisms: SYN Flood, UDP Flood and
Slowloris Flood, the researchers said. The plug-in is dedicated to attacking
the SpyEye Tracker subdomain on abuse.ch.
The addition
of DDoS-capabilities to the banking Trojan is significant because it shows
"fraudsters are eager to damage the non-profit Website's availability and
credibility," the researchers wrote.
Most recent
versions of SpyEye allow developers to add new plug-ins in the form of distinct
DLLs, RSA researchers said. The Trojans toolkit is even sold with a software
development kit to allow other developers to create and package new modules in
their own SpyEye variants.
The
researchers noted that the DDoS plug-in is sold separately from the main SpyEye
toolkit.
Abuse.ch
provides the publicly available blocklists containing known Zeus and SpyEye
command-and-control domains and IP addresses. The site employs automated
systems called Trackers to identify malicious C&C domains, IP addresses and
servers, and the information is regularly updated on the blocklists. Internet service
providers, corporations, and browser-developers can use these lists to protect
their users from SpyEye and Zeus. For example, the ISP can block the IP addresses
on the list and prevent infected machines from being able to communicate with
the C&C, preventing them from becoming zombies.
Attackers
"deliberately" inserted legitimate Website domains into SpyEye's configuration
files to throw off the site's blocklists, RSA said. This makes it difficult for
the service to distinguish which domains are legitimate and which are
malicious, the researchers speculated. Researchers found Google and Russian
social networking site Vkontakte among other domains in the configuration
files.
This means
that all the credentials collected by the Trojan from SpyEye bots, including
screen shots, user name and password combinations, and stolen certificates and
cookies, will be sent to both the malicious C&C servers as well as legitimate
Websites. Abuse.ch's Trackers may trace the information and decide those
domains are also malicious, undermining its credibility and effectiveness, the
researchers said.
SpyEye was developed after Zeus, but it's assumed that the two have merged
the code, as Zeus code has been found within
recent versions of the SpyEye toolkit. Both Zeus and SpyEye variants are used
to infect computers, steal credentials, communicate with command-and-control
servers, and steal money from bank accounts.
It is not the
first time cyber-criminals attacked legitimate security sites in order to
derail detection efforts. Russian cyber-criminals attacked Spamhaus
in late December for flagging sites as being potentially malicious.
Email
Print
