Cyber-crooks are not only exploiting security flaws in popular software in order to steal from vulnerable and innocent users. Independent Security Consultant Dancho Danchev describes how vulnerabilities in unpatched releases of the Zeus crimeware kit are being exploited by hackers in order to steal resources from their fellow criminals.

The security researcher has come across an interesting posting made by a botnet runner, who asks for help to secure his infrastructure after being compromised several times by other hackers. According to his own account, someone hijacked his botnet, composed of over 100,000 compromised computers, by exploiting a vulnerability in the Zeus kit, which allowed remotely injecting a high-level account into the administration panel of the crimeware.

Zeus is one of the popular commercial kits used by phishers and stands proof of the existence of an ever-evolving profitable underground industry. The crimeware (software used for criminal purposes) comes packed with a mind-boggling set of features, and allows phishers to easily create customized banking information-stealing trojans, as well as distribute and administer them.

At the time of its creation, the Zeus crimeware kit cost around $700, but, just as any application, it is susceptible to vulnerabilities, bugs and misconfiguration. In a post dating back to June 2008, Dancho Danchev announces that  a vulnerability "allows the injection of logins and passwords within any misconfigured web interface, due to the way in which Zeus is processing php scripts (web shells and backdoors) from the directory in which it stores the stolen data."

The recent discussion that the researcher has intercepted is particularly describing a real situation where a cyber-criminal has been plundered as a result of this vulnerability. "Dear colleagues, I'd like to hear all sorts of ideas regarding to [sic] security of Zeus. I've been using Zeus for over an year now, and while I managed to create a botnet of 100k infected hosts, someone hijacked it from me by adding a new user and changing my default layout to orange just to tip once he did it," the "victim" reports, according to a translation by Mr. Danchev.

After securing the directory permissions and applying all the available security patches for the Zeus command and control server, the phisher successfully regained control over a third of his former botnet, only to be hit again. The second attack has led him to conclude that there has been a more serious, underlying flaw in the crimeware kit. "In my opinion, a request was made to the database, either through an sql injection in s.php file or a request from within a user with higher privileges," the botnet runner writes.

The cyber-criminal goes on to offer what he calls his own "clever tips" to secure the tool. "Surreal? Not at all, given the existing monoculture on the crimeware market," Dancho Danchev adds. The security researcher also points out that a similar serious vulnerability has recently been identified in another crimeware kit known as Firepack.

These incidents raise a bunch of interesting ethical questions. Should vulnerabilities in crimware be reported and treated with the same objectivity as the ones affecting other software? Should hacked hackers be considered victims and felt sorry for, or are such stories just examples of ironic twists of fate?

I guess that "What goes around, comes around" would be an appropriate conclusion for some, yours truly included.