ZeuS Cache Analysis Reveals Large Number of Compromised Government Computers

Security researchers from antivirus vendor Sunbelt Software, report finding a cache of information stolen by a ZeuS botnet. So far an analysis of the data revealed that many of the compromised hosts were inside the computer networks of various government agencies, fortune 500 companies and other organizations handling sensitive info.

ZeuS or Zbot (ZeuS bot) is a notorious information-stealing computer trojan that has been in operation for the past four years. The piece of crimeware has many variants and is amongst the tools most used by financial fraudsters to steal money from the bank accounts of people and organizations world-wide.

The ZeuS trojans are capable of functioning as botnet clients, which connect to a command and control server to receive instructions and upload the stolen data. According to statistics the ZeuS Tracker system operated by abuse.ch there are around 1,500 Zbot C&C servers spread across the world, with almost half of them being online at any given time.

“Every once in a while, however, we stumble on server misconfigurations where the miscreant has (apparently) accidentally allowed access to the collected stolen data. During the past few days, our research team has been monitoring just that,” Adam Thomas, malware specialist at Sunbelt, says.

One particular cache that Sunbelt researchers located contained over one gigabyte of stolen information in plain text. Interestingly enough, the size of the ZeuS botnet responsible for this particular theft is quite small, counting a bit over 5,000 hosts.

However, the reasearchers' biggest surprise came when they looked into the location of the infected computers. “Most of the infected hosts appeared to be home users, [...] but there were a large number of infected hosts inside of state and federal government agencies; Fortune 500 and 100 companies; drug companies and even banks,” Mr. Thomas notes.

The antivirus company is now working with law-enforcement to notify the affected parties. However, this incident is yet another example that this trojan is a real threat to businesses and consumers everywhere. And antivirus vendors seem to have a hard time keeping up with it, abuse.ch reporting an average antivirus detection rate for ZeuS binaries of around 45%.

You can follow the editor on Twitter @lconstantin