Loud failures in the fight against virus writers

Recently, it has become quite fashionable for companies involved in digital security to report on successful operations to shut down botnets and arrest their owners. So, they closed Bredolab - and only lazy people didn’t write about it.

The purpose of this article is to show that not everything is so smooth in the Danish kingdom.
')
The author does not claim to be exhaustive, but in any case it is useful to know about the failures of the antivirus industry.


1. Conficker (also known as Downup, Downadup and Kido). One of the most dangerous computer worms. It first appeared on November 21, 2008. Due to the exploitation of a number of vulnerabilities, the worm in January 2009 struck 12 million systems. At the moment, about 5 million systems are infected, but no activity indicating the activation of this botnet has been recorded, but it exists.
Despite Microsoft’s promise of a $ 250,000 premium for capturing worm authors and botnet owners on February 12, 2009, they are still free.

2. Trojan programs of the Zeus (ZBot) family appeared in 2007. Thanks to its simplicity of configuration and ease of use to steal web data, ZeuS has become one of the most widely distributed and sold spyware on the black Internet market, and the Zeus botnet is number 1 in the world, with more than 3.6 million in only one US . The author of the Trojan, known as “Slavik” or “Monstr” on hacker forums, actively sold his brainchild right up to the middle and end of 2010, after which he announced the termination of his activity. The amounts obtained on the sales of the Trojan alone are estimated at seven-digit (in dollars, of course), not to mention the carder and confidential components.

Discussion ZeuS has become a proprietary feature of any self-respecting company engaged in digital security, a special tracker was created to track botnet activity, but Slavik is still at large.

3. SpyEye, how much of this word ... The Trojan appeared at the end of 2009 - the beginning of 2010 and immediately began to be opposed by Zeus. The author of the Trojan, known in the forums as “Gribodemon” or “Harderman”, actively promoted its product, once even providing it with Zeus Killer, a functionality designed to eliminate a competitor on zombie systems.
As soon as the author of Zeus decided to retire, he transferred (sold?) The source code to Gribodemon, with the condition of supporting the existing “users”. At the moment, it is no secret that the new versions of SpyEye have many of the functions of its successor.
Finding the "Gribodemona" is not so difficult - both by the activity of his botnet and on hacker forums. His proposals are still active.

4. TDL / TDSS (Alureon, TidServ). One of the most technologically advanced rootkits at the moment. TDL4 is the first and one of the few rootkits for the x64 platform. New mechanisms are constantly being used, new 0-day vulnerabilities that allow to bypass existing anti-virus systems. Separate code fragments, behavior and phrases in the configuration file allow us to make the assumption that the authors are also natives of the once United and Mighty.
The TidServ botnet is the third largest in the world ; however, the information is rather outdated, and new anti-virus corporations are in no hurry to share.

5. In July 2010, Slovenian police arrested three students on suspicion of creating Mariposa / Palevo . Earlier, in the spring of the same year, three operators of the same botnet were arrested in Spain . It is believed that this botnet was "decapitated", "eliminated", "inactive", there was a lot of laughter when the students under investigation tried to find work in security companies, but there is always a "but"! Currently, all new versions of Kolab / Palevo are being created and detected. Yes, and the appearance of new C & C every day somehow does not reassure ... In addition, one should note the special professionalism of writing the code of this worm, which could have been possible for students - but for talented students. Botnet fell? Hmm ...

6. December 2010 ... Together with the employees of the "K" department of the Ministry of the Interior of the Russian Federation and foreign colleagues who are engaged in IT security, a huge botnet was discovered, which has about 600,000 systems worldwide. C & C botnet was located mainly on Russian servers. Also managed to establish the owner of the botnet, it turned out to be someone under the nickname "crazyese". It is known that "crazyese" is involved in DDoS attacks on government sites in different countries, nothing else is known. After the discovery of the botnet, the secret services of various countries became interested in the owner of this network.
On February 9, 2011, an ICQ number (609684624) of that same “crazyese” hit the network; one of its competitors published a number on the network. However, the owner of the number does not hide it, continuing to openly offer his services .

The list goes on, but the point? Let's stop it on the sinister figure 6. It is more interesting to find the answer to the question: why with all the power of the antivirus industry, with all the magnificence and large number of rapid response teams to attacks and threats, all the cases described take place - and the main thing still exists? There may be a lot of answers, it is possible that one of them is close to the truth ...