|Home » Learning Curve » Red Hat Diaries
The Right to Know
They're dropping like flies these days. Today it was Little & King of Merrick NY that lost $164,000 to the Zeus trojan. The pattern is fairly predictable by now.
Little & King owner Karen McCarthy looked into her bank account on Monday 15 February and discovered she had no money left. She was hoping to conclude a sellout deal but that's not going to happen when she no longer has assets to sell.
She didn't have insurance either. And for sure her bank wouldn't do anything.
She was told to go to her bank branch office the following day. And she did. And the people at the TD Bank branch office in Cherry Hill NJ were really nice and apologetic and told her that whatever happened, they'd replace it. But they probably knew already they'd be doing no such thing.
Karen also remembers her Windows PC crashing right before the theft took place - a telltale sign that not only had Zeus come to call but that it had already moved on, blocking the escape route on its way out the door.
Karen called TD Bank again on Wednesday 17 February. This time they changed their tack. They now told her they weren't paying anything as there was no error on their side.
The hackers made away with the money between Wednesday 10 February and Friday 12 February, this with five wire transfers. $41,240 was sent to Asbury PHH in New York, $80,000 was sent to someone in North Carolina, $28,640 was sent to Kimto LLC of California, and $14,875 was sent to Pamela Biagi of Kennesaw Georgia who thought she'd had an honest job.
Only later would the Little & King PC be inspected for malware - and sure enough, Zeus turned up. (Which given the low rate of detection was really something.)
TD Bank have now further clarified their position: they aren't responsible, thus Little & King get no compensation.
'They feel that because [Zeus] compromised my computer that it's my responsibility and that I should look into my insurance, but I don't have insurance', said Karen. 'I had a company that was interested in purchasing us, but they're not going to do that now. I'm basically looking at bankruptcy because I have very little money to operate on now.'
Brian Krebs tried talking to TD Bank. He got as far as a VP of corporate security but was then referred to their - marketing department? Who by the way refuse to return his calls.
'Banks will work with commercial customers to try and reverse fraudulent transfers but the chances of that succeeding diminish rapidly after the first 24 hours. Banks are under no obligation to reimburse commercial customers', explains Krebs.
How About the People?
So that's the backstory. And everyone knows where the technology failed. But how about the people? Where did they fail?
√ Karen McCarthy (and her husband Craig). Did they really have no clue Microsoft Windows was a sack of shit? That's pretty clueless. But would they have kept using that sack of shit if they'd known the truth? All the evidence says no. They would either scrap the idea of doing online banking or try one of the new ideas such as using a live CD. They certainly would not persist in using a computing system destined to ruin their lives if someone had fully explained the situation to them.
Too many war stories of how unwitting Windows users react when they finally understand what's been happening in their computers bear witness to this.
People can - and will - accuse Karen and Craig of being clueless. But if one postulates that they would act differently if they knew any differently, then who could have told them the truth? Don't they have a right to know?
√ The banks. Surely someone at TD Bank knew the score? How about their VP of corporate security? Wouldn't he be aware of the dangers and the catastrophes?
√ The Windows antivirus cottage industry. Trusteer published a report already on 14 September 2009 that showed that antivirus has less than one chance in four to detect Zeus, much less eradicate it. The collected dramatis personae of that AV industry were surely aware of this long before Trusteer published their report. Alex Cox of NetWitness declared AV signature lists to be ineffective, essentially useless - and none of the other players are aware of the gravity of the situation?
√ Microsoft. No one better than Microsoft knows how leaky their systems are: they've been fending off zillions of malware attacks online for the past fifteen years. And although they have no shortage of Kool-Aid drinkers, they have even more who know how dangerous their products really are. They could say something.
Bill Gates' famous apology to the world in January 2002 comes to mind. Gates tacitly admitted he was aware how much 'misery and suffering' (as he put it) his products had caused people worldwide.
Gates knows. They all know. People like Karen and Craig have a right to know too.
Why Aren't They Being Told?
Everybody but Karen and Craig already knows how dangerous Zeus and Windows are. Yet no one's telling them. People who could get their ear are not saying a word. Why not?
√ The banks. The banks - the same ones that caused the current worldwide recession - are required to protect individuals but they're not required to protect corporate clients. And the Zeus gangs aren't interested in lowly savings accounts anyway.
The banks could advise their corporate clients to not use Windows for online banking - or more realistically to dispense with online banking altogether. But staffing those offices again would cost them dearly. The bottom line is it's better financially to keep things as they are - with corporations losing hundreds of thousands and only a very few individuals needing protection.
√ The Windows antivirus cottage industry. The AV companies have been playing the 'scare game' for twenty years. McAfee and Steve Gibson did it back in the days of the 'Dark Avenger'. McAfee played the game brilliantly for the 'Michelangelo' scare. Today they blog in great detail about how the latest attacks work. All to scare people.
But how about really caring about Karen and Craig? Do any of them actually come out and tell Karen and Craig how futile it is to try to protect Windows? And how their own products can't really protect them?
Kaspersky, McAfee, and Symantec were all hacked by Zeus in June of last year. They can't even protect themselves. Don't they then have an obligation to tell Karen and Craig?
√ Microsoft. The spider in the web. Everything depends on Microsoft. And Microsoft not only deliberately sidestep the issue, they also have representatives worldwide to make sure the media companies do it too.
These representatives are largely unseen and deliberately so. Many of them have deliberately misleading job titles. Their agendas are always the same: curry favour with local politicians, with media contacts, sell them continually on what a great company and friend they have in Microsoft, how everything is being done to keep the citizenry safe, and so forth. Top it off finally with an extra helping of Tirami Su and a second snifter of fine maison and then wave your 'niece' over to the table.
The truth's out there and accessible, provided Karen and Craig know how to find it. Zeus attacks only Windows. Karen and Craig would still have their $160,000 if they'd consistently used a live CD instead. But those who could reach them won't tell them. There's too much at stake.
abuse.ch: Zeus Tracker
Wikipedia: Zeus Trojan
Rants: The Malware Ruse
MDL: Malware Domain List
Prevx: Test Your FTP Logon
Rants: The Microsoft Ghetto
The Technological: Wsnpoem
NetWitness: Kneber White Paper
YouTube: Zeus Bot: Under Watch
Rants: ;DECLARE @S CHAR(4000);
Fortiguard: Zeus: God of DIY Botnets
Rants: Fighting Malware on Windows
The Technological: They Think It's OK
WSJ: Broad New Hacking Attack Detected
NetworkWorld: Malware Infects Space Station
Webroot: One Click, and the Exploit Kit's Got You
NetworkWorld: America's 10 Most Wanted Botnets
Reuters: Zeus Attacks Department of Transportation
ZBot data dump discovered with over 74,000 FTP credentials
Krebs on Security: Zeus Attack Spoofs NSA, Targets .gov and .mil
Hindu News: UAB computer forensics link Internet postcards to virus
Trusteer: Measuring the in-the-wild effectiveness of Antivirus against Zeus (PDF)
Washington Post: More than 75,000 computer systems hacked in one of largest cyber attacks
ZeuS is a nasty infection to have.
- Richard S Westmoreland