Feeds

ZeuS miscreants offer up honeypot

Cybercrooks turn the table on researchers with fake interface

Secure remote control for conventional and virtual desktops

Cybercrooks are attempting to turn the tables on security researchers by setting up fake interfaces on their botnets in a bid to confuse and confound analysis.

The fake honeypot tactic was brought into play by a group using a variant of the infamous Zeus crimeware toolkit. The unknown miscreants targeted quarterly federal taxpayers with fake emails that sought to trick prospective marks into visiting a website loaded with exploits on the pretext that there had been a problem with their tax returns. If successful, the attack resulted in the infection of PCs with variants of ZeuS primarily designed to capture and extract bank login details.

In between waiting for the drop of confidential IDs from compromised machines, the crackers set up a trap for researchers. A bogus administrative panel hands out counterfeit statistics on the number of ZeuS-infected machines, as well as the ability to upload new bot malware, a feature designed to hoodwink security researchers or rival botnet operators.

A write-up of the ZeuS decoy admin console can be found in a post on the Last Line of Defense blog here.

"This admin interface acts as a 'hacker honeypot' that records detailed information about who attempted to access the admin console, as well as who attempted to hack into it," the post explains.

In a nice touch, the phoney login accepts default or easily guessed login credentials. Just for good measure, the interface is also also vulnerable to a simple SQL-injection vulnerability.

The deployment of the fake honeypot tactic in ZeuS-related malware operations is unlikely to be coincidental. The discovery of genuine ZeuS interfaces over recent months has been a major source of raw intelligence for security researchers. Although we can't say for sure at this point it's even possible that this data led to the recent run of arrests of ZeuS crimeware suspects in the UK, US and the Ukraine.

Crooks who use ZeuS as the weapon of choice for snaffling online banking credentials would doubtless be interested in frustrating this kind of researcher through the use of decoys. Viewed from this perspective, spying on what their opponents are up to would be a bonus for cybercrooks. And since ZeuS is highly customisable adding in the additional honeypot hooks would have been no great chore. ®

Intelligent flash storage arrays

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Free virtual appliance for wire data analytics
The ExtraHop Discovery Edition is a free virtual appliance will help you to discover the performance of your applications across the network, web, VDI, database, and storage tiers.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.