A Zeus hacker cabal has infected itself and its colleagues with a rival malware in an act of poetic justice noticed by RSA researcher Lior Ben-Porat.
The blackhat developed a custom Zeus panel for the infamous trojan by the same name which was found compromised Ramnit worm.
Ben-Porat says the malware muck up happened after the Zeus hacker created the panel on a machine they did not realise was infected with and spreading Ramnit.
“RSA research recently investigated a customised version of the Zeus Robot Admin panel called Zeus Panther, and discovered an unusual 'add-on' to the application [which] contained a VB script that drops a file named svchost.exe into the system," Ben-Porat says in a post.
“... we initially thought it might be a case of fraudster versus fraudster, where the botmaster used this VBS script as a protective mechanism – to infect anyone that tries to work their way into the admin panel.
“Our researchers came to the conclusion that this particular copy of Zeus Panther was saved onto a fraudster’s personal computer that had been infected by a Ramnit variant, and by uploading the Zeus Panther admin panel from his infected machine, he unknowingly spread the Ramnit worm on his panel’s installation page.”
Ramnit is a fading piece of internet trash that should be picked up by most antivirus systems, a piece of security defence that vxers might choose not to install for obvious reasons.
Ben-Porat says it demonstrates the failures made by a class of developer who should know better and shows they are just as open to infection as the rest of us. Late last year a team of FireEye researchers illustrated, to the amusement of attending white hats, some of the worst failures malware writers had made over the preceding year.
They showcased malware writers who went to extraordinary lengths writing complex code when simple strings would suffice, locked themselves out of their own backdoors, and impressive and expensive malware left in plain sight for researchers to find and eradicate. ®