Dancho Danchev wrote about a vulnerability "found in Zeus":http://ddanchev.blogspot.com/2008/06/zeus-crimeware-kit-vulnerable-to.html, a crimeware kit circulating widely. Danchev explains:
bq. The vulnerability allows the injection of logins and passwords within any misconfigured web interface, due to the way in which Zeus is processing php scripts (web shells and backdoors) from the directory in which it stores the stolen data. Ironically, 'Zeus users are advised to take care of their directory permissions, and forbid the execution of scripts from the folder holding all the encrypted stolen information'.
bq. "The implications of this flaw are huge, since, what used to be the practice of hijacking someone's misconfigured botnet a couple of years ago, is today's hijacking of the malware campaigns's command and control interface, which on the majority of occasions is left accessible to everyone - including independent researchers and the security community.
The Zeus Trojan kit is "available on the market":http://ddanchev.blogspot.com/2008/04/crimeware-in-middle-zeus.html for around $700, and Danchev writes in a previous post that the Zeus kit has been used more than 150 times and attacks around 4,000 computers per day. Similar to popular software receiving unwanted attention from hackers, the prominence of this badware led to increased attention from the security community, leading to the discovery of this vulnerability.
In an additional twist, the "Russian Business Network":http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Russian%20Bus..., which has been associated with creation and distribution of the Zeus kit, is actively working to protect their intellectual property from security companies and their customers. RBN has threatened to "sue security companies":http://www.wired.com/politics/security/news/2007/10/russian_network for blacklisting their products.
The RBN even "includes an EULA":http://arstechnica.com/news.ars/post/20080428-malware-authors-turn-to-eu... when they sell the crimeware kit:
bq. The help section of the latest version of the Zeus malware states that the client has no right to distribute Zeus in any business or commercial purpose not connected to the initial sale, cannot examine the source code of the product, has no right to use the product to control other botnets, and cannot send the product to anti-virus companies.
The RBN threatens to release information on their customers if they violate this agreement and to require customers to purchase future updates. Would they pursue lawsuits against bot herders who modify their software kit without permission?
"Danchev asks":http://ddanchev.blogspot.com/2008/06/zeus-crimeware-kit-vulnerable-to.html what would happen if the security community began unethically pen-testing the Zeus network in order to estimate the size of the botnet. Would the RBN seek to protect its intellectual property, thereby claiming ownership of the Russian Business Network infrastructure (botnet) in order to sue trespassing parties? As crimeware becomes more commercialized, the badware authors have more invested in protecting their investments in intellectual property and infrastructure. It will be interesting to see how the current legal structure can be applied to regulate the development of the malware industry.