Botnet Chaos: E-commerce database theft via IM

Has it been too long? Withdrawl symptoms after the last bust? I can only apologise - but when you're defending the Net from Suckers (Kung-Fu style), sometimes you really have to deep-dive before you slam the bad guys in a ditch.

Usually I like to build up to the big payoff at the end of a lengthy tease. However, this bust is different so excuse me while I drop ninety tons of planet Earth on you.

We have, by means of a hot tip from a kickass guy named Rince, (and numerous chats since then...he social engineered those hax0rs good) found and analysed over 40 files, hunted down the connections between them all and uncovered a ring of Botnet herders using a custom built script that, powered by remote tools, scans vulnerable payment databases and attempts to steal customer details - names, addresses, credit card numbers - the whole nine yards. Even better, there is evidence to suggest this was being fired around...you guessed it, via Instant Messaging.

In addition, after systematic research of the various groups involved, we have uncovered a number of websites where up to 40 or more files are being shared around that community, then reworked for other Botnets to continue causing mayhem. Commercially available remote admin tools (similar to the ones employed here) are used to gain complete access of the end-user's PC, steal browser auto-complete data...pretty much anything at all. Files can be uploaded, downloaded, whatever the Botmaster feels like.

However, what the Botnet master really feels like doing, is downloading the payment database application to your PC, then scanning for misconfigured shopping carts using you as the fall guy.

Okay, you can come out from under your ninety tons of rubble now.

I have spent the last few months trailing round the murkiest parts of the Internet - places you wouldn't believe. Where credit card details are bought and sold, where the Bot "black market" thrives and leet script-kiddies purchase a few thousand Bots, thinking they got a good deal until someone points out all their drones were actually backdoored by the seller.

I could tell you about how hardcore Botnet controllers employ Malware collecting honeypots such as Nepenthes to obtain new samples, then reverse-engineer the files and go hijack the original owner's Botnet.

I could point you to forums where bad-guys teach the art of card theft, or where the illusion of control is created by expert Botnet herders, who share corrupted source code with newbies who do nothing but complain that their newly compiled Bots mysteriously fail to work - meanwhile, the experts continue to pull in the dough by profiting off Mr N00b-Hax0r's Bots. Or how about the soft-target dynamic DNS providers...they shut down Botnet domains for 90 days, then relent and reactivate with minimal hassling! One guy has had his Botnet reinstated five times, for God's sake. I could even tell you how people share the latest scripts to "break" Adware vendor coding, one guy helpfully suggesting in relation to an unnamed piece of Adware:

If you have the unpacked EXE, you could just modify it to not have the warning box at all, or make it so both boxes clicked still do YES install.

Lovely.

However, we're not here to talk about any of that, though I may go into it in more detail at a later date. I'm here to tell you about the latest Botnet ring hopefully dashed to the ground.

Financial fraud, Adware installs, Instant Messaging attacks....it's all here.

Looking at the files in use, back when these guys first got going, they were using Active X kits via drive-bys to make their money. But like I've been saying for some time now, bad guys are looking to exploit IM more and more. Examining all the files collected here, it's almost like looking at a fossilised history of malware - humble Active X beginnings, a heady dive into IRC and (before you know it) automated spreaders, reworked SDBots and EXEs pointing to multiple DNS entries. The amazing thing here is that they aren't bothering with Adware installs much anymore...but then, considering what they're up to, they don't really need to.

Oh, and all your payment systems are belong to us.

Looks like there's some more rubble to shift.

As for Rince, I'd once again like to say thanks - as Wayne Porter notes, individuals can make a difference and make people more aware of the dangers that seemingly lurk around every online corner. If you're in the media and would like to interview Rince, contact me and I'll put you in touch. It's a fascinating tale - however we need to ensure we protect our sources. Keep an eye on Spywareguide.com, too - in the not too distant future, we'll be running an in-depth chat with him which should reveal some interesting findings. Oh, and don't forget to Digg the stories if you liked them.