The number of Zeus command-and-control servers dropped considerably after the takedown. The number of active Zeus domains plummeted from 249 on Monday to 181 the following day, according to the ZeusTracker. As of yesterday, the number had fallen to 149. Although Troyak-AS found a new upstream provider to get its offending ISPs back online, the number of servers continue to fall, albeit at a slightly lower rate.
"From a cyber criminals perspective, such minor operational glitches don't undermine the business model," warned independent security consultant Dancho Danchev. "Sadly, it's more effective to build a new botnet, compared to trying to gain access to the old one." In short, we will be cutting the heads off the botnet Hydra for a while yet.
As one botnet died, another did its best to survive in the face of growing pressures. Koobface, a worm that has spread quickly through social networks, has undertaken a widescale refresh of its command-and-control server infrastructure, according to reports.
Kaspersky has found that command-and-control servers have shut down on average three times per day during the past two weeks. According to the company's researchers, the number of servers dipped from 107 on February 25 to as low as 71 on March 8. The number of servers then doubled in the course of two days.
Researchers at Kaspersky theorized that the operators of the Koobface botnet are monitoring their infrastructure in the same way that systems administrators do. "The total number of Koobface C&C servers is constantly fluctuating, going from over a hundred to under a hundred and back again in a matter of weeks," said Stefan Tanase, senior regional researcher, Kaspersky Lab EEMEA. "When the number of active C&C servers drops to a critical level, they seem to be ready to implement dozens of new ones."