ZeuS attackers set up honeypot for researchers   Leave a comment

Every criminal that wants to keep being successful must know his opponents and hide details of his actions well, so it is no wonder that online criminals are resorting to planting honeypots and fake information for security researchers and competitors to find.

Investigation into the latest spam campaign notifying potential victims that their tax payment was rejected due to an error with the Electronic Federal Tax Payment System has revealed that these ZeuS-peddling criminals used an exploit toolkit that had a fake administration panel.

Now, usually every exploit toolkit has an admin interface, but not a lot of them have a bogus one which functions as a honeypot that documents details of every attempt to access it or hack it.

“The fake login system conveniently accepts default/easily guessed credentials and common SQL injection strings,” says security researcher Brett Stone-Gross. “After the researcher/hacker is ‘authenticated’, they are shown random exploit statistics.”

It seems legitimate enough at first glance, but one look at the source code reveals that the numbers are chosen at random from predefined intervals.

Stone-Gross also revealed to DarkReading that further probing into the source code revealed the existence of a directory called “fake admin” where all the IP addresses from which access to the console was attempted were stored – along with some remarks in Russian. The information collected this way could allow the criminals to blacklist researchers or mount attacks against them in the future if they feel threatened.

http://www.net-security.org/malware_news.php?id=1520&utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+HelpNetSecurity+%28Help+Net+Security%29

Advertisements

Posted November 10, 2010 by axxerainc in Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: