Talk:Zeus botnet trojan horse is back

Brian McNeil's predicament
How is this newsworthy? Benny the mascot (talk) 17:09, 24 April 2010 (UTC)
 * I added it to show an example. --Diego Grez let's talk 17:16, 24 April 2010 (UTC)


 * It should be removed from the title; Brian got hit is not the main story here. Brian's first-hand experience is the technology version of interviewing Diego about the Chilean earthquake. By the way, Diego: Ypu're no longer MW! And you're unblocked on enWP!!! Blood Red Sandman  (Talk)   (Contribs) 17:26, 24 April 2010 (UTC)
 * Hey! I have moved it. Cheers. --Diego Grez let's talk 18:15, 24 April 2010 (UTC)

OR???
I would treat the last paragraph as OR. Please add the OR to the article and provide a statement below, along with sourcing for "E-mail accounts for accredited reporters have also been affected." Benny the mascot (talk) 18:24, 24 April 2010 (UTC)
 * The Brian's statement was taken from the link on his userspace. The last sentence is based on http://en.wikinews.org/wiki/Wikinews:Admin_action_alerts#Update_on_my_main_account --Diego Grez let's talk 18:29, 24 April 2010 (UTC)
 * Thanks. Perhaps it might also help to describe what Wikinewsie actually is? Benny the mascot (talk) 18:35, 24 April 2010 (UTC)
 * Sure. --Diego Grez let's talk 18:41, 24 April 2010 (UTC)


 * I know considerably more about this evil P.O.S. than laid out in this article. All going well, I should be joining folks on IRC this evening for a full update. -- Brian McNeil (alt. account) /alt-talk &bull; main talk' 16:10, 25 April 2010 (UTC)

Additional information

 * One of the key components of a Zeus botnet infection is Win32/Alureon. There was an update to various antivirus databases for the latest version of this on 2010-04-17.
 * Additional component of the Zeus bundle is TR/Dldr.DNSChanger/WIN32.DNSChanger.Gen.
 * The botnet is generally accepted to be managed and expanded out of Russia and the Ukraine.
 * Via the black market, a DIY kit for setting up your own command node is available for around US$700.
 * The basic operation of the package is to act as a transaction logger. It can, relatively simply, be configured to capture the entry of login, password, bank, and credit card details. By reading the pages returned when you click to log on it can build a log of successful and failed transactions.
 * From the command node a botnet controller can 'push' updates and additional malware to infected equipment.

The Zeus "kit" that costs US$700 can, with an IT-savvy enough person, be configured to monitor access to any website and the transactions therein. In my case, this appears to have included the default Netgear router IP address (192.168.0.1). As a consequence, the router itself was compromised! Any attempt to log in to the router resulted in pages containing a javascript exploit being served up to the user. This exploit is/was one of those dealt with in the very latest release of Firefox.

Now, for ADSL Broadband services in the UK, people are connected to a big box in the exchange called a DSLAM. The older boxes are plain ADSL (supports up to 8Mbps), such as those predominantly used by BT. Other ISPs use other equipment, including ADSL2+ kit which supports up to around 22Mb (but only if you live right next door to the exchange. Where a non-BT ISP has no kit in your local exchange, the legislation enacted when BT was split up mean that BT OpenReach (who manage the exchanges and engineering work) must offer access to the old ADSL equipment to any ISP - This is currently leading to the surprising situation where supermarkets can rent access to the equipment and "pretend" they are an Internet Service Provider (Frankly, Tesco Value Home Broadband sounds like the most obscene joke on the planet - 'Up to 512Kbps speeds! Download limit, 3Gb/month. Price? Under £15/month.

Oh, and someone infected with the Zeus botnet software? They're behind the firewalls in the exchange and can sit and hammer away at the up-to 765 other people connected to the same box. Depending on the subnet, and how the ISP manages their network, the number of other broadband customers that could be attacked from within the network could be much higher (eg 2+ DSLAMs all on the same subnet after the firewall). -- Brian McNeil (alt. account) /alt-talk &bull; main talk' 17:37, 25 April 2010 (UTC)