Non-tech criminals can now 'rent a botnet'

May 15, 2008 (Computerworld Australia) Online fraudsters that aren't highly skilled in the art of cybercrime can now rent a service that offers an all-in-one hosting server with a built-in Zeus Trojan administration panel and infecting tools, allowing them to create their own botnets.

EMC Corp.'s security division, the RSA Anti-Fraud Command Center (AFCC), cited an increase in the use of the Zeus Trojan in attacks against financial institutions in its April online fraud report, claiming the Trojan is "extremely user-friendly and easy to operate."

"Fraudsters who execute Zeus attacks simply need to take control of a compromised server or have their own back-end servers; once they have a server in place, they merely need to install the Zeus administration panel, create a username and password, and start launching their attacks," the report stated.

But the AFCC recently traced a new service that does all of the above for would-be botnet barons. The service offers access to a "bullet-proof hosting server with a built-in Zeus trojan administration panel and infection tools. ... The service includes all of the required stages in a single package, meaning that all the fraudster now has to do is pay for the service, access the newly-hired Zeus trojan server, create infection points and start collecting data."

RSA's banking and finance specialist, Geoff Noble, said that those offering the Zeus package are mirroring what legitimate security vendors are offering — security as a service — but in their case, they are slinging malware as a service.

"Phase 1 of online threats was stealing credit card numbers, buying stuff on the Internet and selling it somewhere else to make a profit. Phase 2 is this grabbing of usernames and passwords online. Phase 2b is productizing that solution, and Phase 2c is offering that solution as a service," Noble said.

"What Zeus means is that you are buying a service with traditional software support and maintenance, so you can go about your business without updating and patching," he said.

RSA said that the exploit package allows fraudsters to easily infect users and grow a botnet of compromised machines, and boasts an easy-to-use Web-hosting control panel that can be used by virtually anyone.

"The bottom line is that with such services, creating the infrastructure for Zeus attacks and actually implementing these attacks is now easier than ever before," the report said.

"It makes it markedly easier because you don't need to bring together the three components. The challenge still remains how to get the cash out — and that will likely be the constriction point getting in the [fraudsters'] way," Noble said. "It will be a lot easier to do on the attack front, but the cash still needs to come out of the channel."

Victims receiving e-mails at home or work offering amazing deals to become the local financial outpost for a multinational company is just one of the ways the fraudsters are getting the cash out.

"People still get sucked into that, and that's one of the variants of getting the cash out. The fact that it's too good to be true doesn't always sink into everyone, and people still become mules," Noble said. "And we're seeing a lot more specific approaches to people to become mules in tandem with the ease of use for non-tech spooks and fraudsters."

The Zeus Trojan is designed to perform advanced keylogging when infected users access specific Web pages. The information it collects is encrypted when it is sent to the collection point and can be communicated over SSL encryption.

The monthly AFCC report found that U.S. banks continued to be the dominant target of cybercriminals, with 62% of attacks, followed by the U.K. with 11%. Australia and New Zealand made it into the list for the second month in a row as phishing in the Asia-Pacific region continues to grow.

The U.S. also topped the AFCC's April list of top hosting countries, with 51% of phishing attacks originating from there — a 12% decrease from the previous month. China came in second with 19% of attacks, while Australia was responsible for 2% of threats.

Reprinted with permission from

Computerworld AustraliaFor more news from Computerworld Australia, visit its Web site. Story copyright 2006 Computerworld New Australia. All rights reserved.