RSS Alerts

Share

More services

Related Links

Related Stories

  • Zeus gang hits 75 000 computers
    The same criminal gang that targeted government and military computers with its malware has also infected 75 000 computers in almost 200 countries with a virulent strain of the banking trojan, according to research from network monitoring company NetWitness.
  • Military and intelligence personnel targeted again by Zeus trojan
    Some rather industrious spammers have targeted military and intelligence employees for the second time in a week. But this time they used the pretense of the previous attack in an attempt to deliver the Zeus trojan.
  • SpyEye continues battle of the botnets
    Researchers have identified another example of a botnet that attempts to neutralize other botnet software. Peter Coogan, a researcher at Symantec, noticed a crimeware toolkit from Russia called SpyEye, which appears to neutralize the competing Zeus crimeware kit.
  • Government employees targeted by Zeus trojan
    Defense and intelligence agencies in the US and UK were among the intended targets of a Zeus trojan campaign, according to findings by Websense.
  • Email Zeus trojan scams on the rise
    Online criminals are stepping up their campaign to infectInternet users with the Zeus trojan, according to new research published by Atlanta-based managed security firm SecureWorks. Email campaigns in particular are on the rise, the company has said.

Top 5 Stories

News

Provider takedown guts Zeus infrastructure

11 March 2010

Yet another botnet suffered severe losses to its functionality this week, in what appears to be a growing campaign among the white hat community to take down these virulent networks. Troyak-AS, which was the upstream provider for the six worst Zeus hosting ISPs, has been taken offline.

The number of Zeus command-and-control servers dropped considerably after the takedown. The number of active Zeus domains plummeted from 249 on Monday to 181 the following day, according to the ZeusTracker. As of yesterday, the number had fallen to 149. Although Troyak-AS found a new upstream provider to get its offending ISPs back online, the number of servers continue to fall, albeit at a slightly lower rate.

"From a cyber criminals perspective, such minor operational glitches don't undermine the business model," warned independent security consultant Dancho Danchev. "Sadly, it's more effective to build a new botnet, compared to trying to gain access to the old one." In short, we will be cutting the heads off the botnet Hydra for a while yet.

As one botnet died, another did its best to survive in the face of growing pressures. Koobface, a worm that has spread quickly through social networks, has undertaken a widescale refresh of its command-and-control server infrastructure, according to reports.

Kaspersky has found that command-and-control servers have shut down on average three times per day during the past two weeks. According to the company's researchers, the number of servers dipped from 107 on February 25 to as low as 71 on March 8. The number of servers then doubled in the course of two days.

Researchers at Kaspersky theorized that the operators of the Koobface botnet are monitoring their infrastructure in the same way that systems administrators do. "The total number of Koobface C&C servers is constantly fluctuating, going from over a hundred to under a hundred and back again in a matter of weeks," said Stefan Tanase, senior regional researcher, Kaspersky Lab EEMEA. "When the number of active C&C servers drops to a critical level, they seem to be ready to implement dozens of new ones." 

This article is featured in:
Internet and Network Security • IT Forensics • Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012