To be the target of an attack like this one requires only that abuse.ch have limited and occasional success at getting criminals thrown off of ISP's.
president of the Internet Systems Consortium and creator of the popular internet domain name server BIND
Researchers at RSA's FraudAction Research Lab detected how the cybercriminals were conducting the attacks against the Swiss white hat site, abuse.ch, which has been identifying rogue ISPs and malicious domains hosting banking Trojans. The website launched its SpyEye tracking list in November.
RSA said the cybercriminals are using new plug-ins developed with the latest SpyEye Trojan variants. SpyEye, a crimeware toolkit, surfaced in late 2009 and immediately started to compete against users of Zeus toting toolkits. The cybercriminals behind Zeus have either sold out or merged with SpyEye and today malware variants from both code bases are used to infect computers, steal credentials, call command-and-control servers and ultimately drain bank accounts.
In an interview with SearchSecurity.com, Yuval Polevoy, a senior researcher at RSA's FraudAction Research Lab, said he's also seen evidence of the merging of the Zeus and SpyEye code-bases. The latest SpyEye toolkit versions have parts of the Zeus code that look identical, he said. SpyEye is currently less protected than Zeus, making it easier to detect and remove from an infected system, he said.
Polevoy said the DDoS plug-in has vulnerabilities that reduce its effectiveness. "It shows little to no sophistication in its implementation," he said. The plug-in does no real input checking and its code isn't protected in the same way the rest of SpyEye is protected, he said.
Polevoy said abuse.ch has been effective, providing free feeds of known Zeus and SpyEye command-and-control servers and IP addresses. The malicious IP address lists help network security pros at major ISPs, and enterprises set up blacklists, denying communication to those malicious IP addresses. It also helps CERTs and law enforcement track the illegal activity. The site helped get more than a dozen Russian- and Ukrainian-based Zeus command-and-control servers shut down in January.
In addition to attempting to disable the white hat website by flooding it with traffic, Savvy attackers have altered SpyEye configuration files, adding legitimate website domains and phony data collection points to contaminate the website's malicious IP address lists.
"In essence, SpyEye botmasters are battling the non-profit website, which threatens the very existence and effectiveness of their botnets," according to an RSA research brief published Wednesday.
The cybercriminals added the domain of Google as well as popular Russian social network Vkontakte to SpyEye's configuration files in an attempt to get the website to classify the legitimate website domains as communication points for the botnet, diminishing the IP blacklist's credibility.
RSA said the DDoS plug-in was one of a number of plug-in modules made available in the latest version of the SpyEye toolkit. SpyEye includes a Software Development Kit, enabling cybercriminals to create additional plug-in modules. The DDoS module can be set to target a single website, such as abuse.ch or multiple websites, RSA said.
In an email, Paul Vixie, president of the Internet Systems Consortium and creator of the popular internet domain name server BIND, said abuse.ch is one of a handful of respected services helping track malicious traffic.
"abuse.ch is extremely well respected. However, to be the target of an attack like this one requires only that abuse.ch have limited and occasional success at getting criminals thrown off of ISP's," Vixie said. "In that sense abuse.ch is far more qualified and deserving of criminal DDoS than they need to be, and it's a mystery they aren't attacked more."
Malware expert Jose Nazario, senior manager of security research of Arbor Networks and board member at The Honeynet Project, designed to detect and study new attacks, said abuse.ch data is used internally along with additional data gathered by Arbor. He said the project has been providing good quality control on the data it provides.
"It should be self evident," Nazario wrote in an email of the attacks. "If [attackers] have to take it down it's because it's disrupting the Zeus users' efforts."