Friday, November 30, 2007

the long.... slow.... arm of the law....

ok, this is kinda funny... police "swoop" and catch a teenage hacker who has owned over a million computers and stolen millions of dollars...

yea, you are safer today, because this guy was a "whizzkid kingpin" behind "an international spybot ring"... i mean geeze, he took down an irc chat room b/c they kicked him out once...

(note: i wonder if spybot knows that the media has suddenly co-opted their name and made it synonymous to malware... /me smacks the ignorant ap and bbc tech reporters... sigh... i'm writing the bbc and ap to let them know...)

anyway, so this "very bright and very skilled" kid has been owning the heck outta the tubes... well, from what i gather, he is known for the creatively named "akbot" series of virii...

yes, these dangerous virii varients exploit uber-0days such as MS04-007 and MS04-011... according to sophos, the akbot-a varient was detected right about the begining of 2006... sooo, that's 1.5 years between vuln that this masterminds exploit release... really, he is dangerous... not a script kiddie who copied someone elses code and flipped some bits and got a series of variants named for his handle...

they say the feds thought he was extremely sophisticated, and that he used encryption to avoid AV detection, but this kinda flys in the face of the fact that there are multiple variant detections listed on av sites... i mean, virtually all malware is undetected by AV at some point in time, just b/c almost all AV is sig based... assuming they mean he used a packer/obfuscater like most malware authors...

i know i may be missing a lot of details, but this is what is being reported... i think it speaks to the lack of understanding of the severity of the infosec issues today if none of these articles mention these points...

i mean, one of those articles says "the FBI believes the raid has helped breakup the botnet network". yea, b/c the guy who logged into the IRC control channel isn't logging in anymore, so all of these infected computers have cleaned themselves of their infections? it is such old-world thinking to say "we've arrested the perp, so the crime is over"... how many of these 1,000,000+ infected machines just got akill through a dropper or some other vector, and have other malicious apps running... well, hrmm... since the vuln for this was patched 3 years ago, i'm gonna guess that a lot of em have other infections if they're hit w/ this... ;)

1 comment:

jdm said...

I heard about this on BBC this morning. They were really talking this guy up. Boo.