A viable answer to the botnet problem?
As the recent case of the Bredolab botnet takedown has shown yet again, going after C&Cs is ultimately a failed tactic for shutting botnets down.
Obviously, it is time to try something new, and two security researchers from Miami might be on the right track. Peter Greko and Fabian Rothschild have developed a number of methods that should severely compromise the accuracy of the collected data and, therefore, make the botmasters’ customers unsatisfied with the merchandise, and they are going to present them at the OWASP AppSec conference held in DC this week.
According to ThreatPost, the researchers analyzed the methods of data exfiltration and communication with the C&Cs of the ZeuS Trojan, and came up with the several different tactics.
For example:
When the victims visit the login page of a bank or another high-value site, and the ZeuS module presents them with additional Web form fields that ask them for information such as their Social Security number, one of the methods developed by the researchers allows them to inject additional fields invisible to the victim and fill them with unrelated, bogus data.
This way, the botnets’ databases are filled with junk data intermingled with the accurate, which is then harder to find and to sell. Another strategy they have come up with is rather similar to this one, but also allows them to add this junk data directly to the legitimate values when they are sent, or to replace it with JavaScript.
The last technique allows them to encrypt the data with encryption keys that cannot be detected by the ZeuS bot and that make the sent data worthless to the botmasters because they cannot be decrypted.
All these methods are meant to be applied by operators of high-value sites, so that the traditionally weakest link in the security chain – the uninformed user – is bypassed. Greko maintains that these methods work successfully when it comes to most ZeuS variants currently in circulation. Let’s hope that’s correct and that this is a step in the right direction.