Presumably an attacker can also use other methods to access a dropzone from another attacker: an attacker could exploit vulnerabilities in the dropzone’s web app (e.g., SQL injection, default passwords, open MySQL access etc.), something that we could not do as part of our research. There have been some reports about vulnerabilities in dropzone kits, and I am sure that one could find other ways to access a dropzone.
Dancho: With Zeus clearly reaching a monocultural stage within the cybercrime marketplace, a remote exploitable flaw within the kit’s web interface could trigger an effect often seen from a white hat’s perspective. In fact, there have been cases of cybercriminals hijacking one another’s Zeus botnets due to insecurely configured web servers.
Do you believe these are isolated incidents, or a logical development in the long term, which can contribute to the rise of underground turf wars?
Thorsten: I think that this is a logical development: If I would be an attacker, it would be way easier to simply exploit other dropzones than doing all the hard work on my own (buying the kit, hosting it, exploiting machines etc.). And with tools such as ZeuS Tracker I could also easily find other dropzones and perform my attack on a larger scale.
I'd like to make two points here.
#1 bot nets are subject to hijacking, and subversion.
#2 Researchers and Security Vendors do not have the legal where withall to
get a court order to penetrate bot nets; like the Police can get a legal writ to wire tap.
And the Police do not have the computer where withall to know how to penetrate
a bot net.
So the Bot Nets remain secure, and untouchable.
And the most effective methods to go after bot nets remain extra legal and unused.
while the bot nets rampage on the Internet.
There needs to be a marriage between the FBI and a core team of the
best hackers the Security Vendors have, to make the "wiretapping, extra legal"
methods available to bring down these bot nets. The FBI to provide legal cover
while the Security Vendors hack the bot nets and put in place their own
security back doors.
The bot nets could be subverted by others for destruction of crimeware families
or the WWW its self ( DHS secret level 4. )
Tactical Internet Systems analyst.