14 DAY TRIAL // Security researchers from Trusteer, a provider of anti-fraud solutions for financial institutions, have commandeered a 100k-strong botnet based on the latest version of the ZeuS crimeware. The botnet was being used for financial fraud and mainly targeted UK users.
ZeuS, otherwise known as Zbot, is one of the most sophisticated information stealing trojans. The crimeware is extremely popular because it is available as a toolkit that can be used by fraudsters to generate their own custom variant of the malware, tailored to their particular needs.
Botnets based on ZeuS 2, like the one found by Trusteer, are much harder for security researchers to commandeer, because this version of the trojan contains security features designed specifically to thwart such efforts. Fortunately, in this case the fraudsters, which the security company believes are based in Eastern Europe, failed to make full use of them.
"The cybercrime servers were hidden but the hackers were not using a lot of security, so it was possible to find a way into the database," Mickey Boodaei, Trusteer's CEO, commented for The Register. "What is especially worrying is that this botnet doesn't just stop at user IDs and passwords. By harvesting client side certificates and cookies, the cybercriminals can extract a lot of extra information on the user that can be used to augment their illegal access to those users' online accounts," Amit Klein, the company's chief technology officer explained.
As much as 98% of the 100,000 infected computers forming the botnet were from United Kingdom, suggesting that the fraudsters running this operation were specifically targeting UK computer users. Trusteer is working with British authorities to identify the affected people and has forwarded the C&C server's access logs to the Metropolitan Police.
"It's important to realize that, despite its size, this is just one of many Zeus botnets operating all over the world. Its size and controllable actions are a clear demonstration of the increasing sophistication of cybercriminal gangs and how they can harness the power of drive-by downloads, spam and general phishing trawls to create such a large swarm," concluded Mr. Boodaei.
You can follow the editor on Twitter @lconstantin