Botnet Kill Switch: 100000 BSODs

The past few years, it seemed as if virus writers had moved away from doing actual damage to systems to instead focus on stealth, so that infected machines can silently, and unknowingly, be used for all sorts of malicious practices. Sadly, there are still those crackers out there that prefer the old-fashioned approach to these matters. The result: 100000 ruined Windows machines.

Zeus is a family of Windows malware that is special in that it has the uncanny ability to look completely unique on every infected machine, making it very hard to detect and remove it. Zeus is sold in kits for about 700 USD to all sorts of people with criminal intentions.

Zeus is also special for another reason: it has a kill switch, called “kos” (kill operating system). The help file (!) has this to say about it (Google translation):

kos – incapacitate OS, namely grip branches HKEY_CURRENT_USER registry and / or HKEY_LOCAL_MACHINE. If you have sufficient privileges – fly to “blue screen”, in other cases creates the brakes. Following these steps, loading OS will not be possible!

Roman Hüssy, a 21-year-old Swiss information technology expert, follows various Zeus servers, and was surprised to learn that this switch had actually been used on a botnet of about 100000 machines, located mostly in Poland and Spain. This is surprising because it’s counterproductive for crackers to shutdown a botnet.

Hüssy says he has no idea why the kill switch was flicked. “Maybe the botnet was hijacked by another crime group,” he said. It could also be, he explained, that it happened by accident. “Many cyber criminals using the Zeus crimeware kit aren’t very skilled.”

Another likely explanation, offered by S21sec.org, is that the botnet was shutdown so that the crackers get some extra time. “Taking the victim away from Internet connection – before the unwanted money transfer is realized and further actions could be taken.”

In any case, all the more reason to properly secure your Windows machines, or to switch to alternatives such as Linux and Mac OS X.

36 Comments

  1. 2009-05-08 11:45 pm
    • 2009-05-09 6:06 am
      • 2009-05-09 7:12 am
        • 2009-05-09 7:56 am
          • 2009-05-09 10:04 am
          • 2009-05-09 11:04 am
        • 2009-05-09 5:42 pm
          • 2009-05-10 12:27 am
          • 2009-05-12 8:57 pm
        • 2009-05-10 12:15 pm
          • 2009-05-10 3:37 pm
      • 2009-05-10 12:05 am
    • 2009-05-09 2:05 pm
  2. 2009-05-09 12:33 am
    • 2009-05-09 1:47 am
    • 2009-05-09 1:57 am
      • 2009-05-09 5:44 am
        • 2009-05-09 6:35 am
          • 2009-05-09 8:21 am
          • 2009-05-09 8:56 am
          • 2009-05-09 1:28 pm
          • 2009-05-10 12:52 am
        • 2009-05-09 4:00 pm
  3. 2009-05-09 3:58 am
  4. 2009-05-09 4:02 am
    • 2009-05-09 9:58 pm
  5. 2009-05-09 5:10 am
    • 2009-05-09 10:01 pm
      • 2009-05-11 1:15 pm
        • 2009-05-11 1:36 pm
  6. 2009-05-09 10:13 am
    • 2009-05-09 9:51 pm
  7. 2009-05-09 2:35 pm
  8. 2009-05-11 7:11 pm
  9. 2009-05-11 8:02 pm
  10. 2009-05-11 9:21 pm