Feeds

ZeuS miscreants offer up honeypot

Cybercrooks turn the table on researchers with fake interface

5 things you didn’t know about cloud backup

Cybercrooks are attempting to turn the tables on security researchers by setting up fake interfaces on their botnets in a bid to confuse and confound analysis.

The fake honeypot tactic was brought into play by a group using a variant of the infamous Zeus crimeware toolkit. The unknown miscreants targeted quarterly federal taxpayers with fake emails that sought to trick prospective marks into visiting a website loaded with exploits on the pretext that there had been a problem with their tax returns. If successful, the attack resulted in the infection of PCs with variants of ZeuS primarily designed to capture and extract bank login details.

In between waiting for the drop of confidential IDs from compromised machines, the crackers set up a trap for researchers. A bogus administrative panel hands out counterfeit statistics on the number of ZeuS-infected machines, as well as the ability to upload new bot malware, a feature designed to hoodwink security researchers or rival botnet operators.

A write-up of the ZeuS decoy admin console can be found in a post on the Last Line of Defense blog here.

"This admin interface acts as a 'hacker honeypot' that records detailed information about who attempted to access the admin console, as well as who attempted to hack into it," the post explains.

In a nice touch, the phoney login accepts default or easily guessed login credentials. Just for good measure, the interface is also also vulnerable to a simple SQL-injection vulnerability.

The deployment of the fake honeypot tactic in ZeuS-related malware operations is unlikely to be coincidental. The discovery of genuine ZeuS interfaces over recent months has been a major source of raw intelligence for security researchers. Although we can't say for sure at this point it's even possible that this data led to the recent run of arrests of ZeuS crimeware suspects in the UK, US and the Ukraine.

Crooks who use ZeuS as the weapon of choice for snaffling online banking credentials would doubtless be interested in frustrating this kind of researcher through the use of decoys. Viewed from this perspective, spying on what their opponents are up to would be a bonus for cybercrooks. And since ZeuS is highly customisable adding in the additional honeypot hooks would have been no great chore. ®

Next gen security for virtualised datacentres

More from The Register

next story
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.