Categories: PCSecurityWorkspace

Zeus Bots Remain Active Despite Microsoft Takedown

Last month Microsoft and its partners gained control of a major part of the infrastructure of the infamous Zeus botnet. This allowed them to shut down control-and-command centers in Illinois and Pennsylvania as part of ‘Operation b71.’

However, security experts are saying that while the operation effectively shut down the bulk of the bots, a few remain and are still in operation.

Still Twitching

According to Atif Mushtaq, with security software vendor FireEye’s Malware Intelligence Lab, Microsoft was able to take control of the majority of command-and-control (C&C) domains associated with the Zeus botnet, essentially rendering them ineffective.

However, three domains remain in operation, including one Zeus variant that has partially recovered from Microsoft’s efforts and that is known for quickly changing its (C&C), Mushtaq said in a post on the FireEye blog.

“I am not sure why the MS Digital Crime Unit has not been able to sinkhole all the CnC domains,” he wrote. “Their main concern should be the three active domains. Without these domains completely destroyed, this botnet cannot be officially declared as dead.”

According to FireEye’s count, since January, the company has found 156 C&C domains used by the Zeus botnet. In the Operation b71 “sinkhole” effort, Microsoft was able to take over 147 of the domains. FireEye listed two domains as dead and four others abandoned.

However, there are still three domains still active, and zombie PCs are still getting commands from them, according to Mushtaq.

Zeus malware used keylogging to access user names and passwords from a PC, enabling cyber-criminals to steal people’s online identities. According to Microsoft officials, once a computer was infected with the Zeus malware, it would start keylogging when a user typed on the keyboard. Through that, the criminals were able to steal data relating to everything from financial institutions to e-commerce activity.

Sinkhole Operation

Microsoft officials estimated that about 13 million PCs worldwide were infected by the Zeus malware, including 3 million in the United States. The company filed a lawsuit 19 March in US District Court against the people they claim have control of the domains and IP addresses linked to Zeus botnets. The lawsuit was part of a larger pattern by the software giant of using the courts to bring lawsuits against those running such operations, such as the Waledac, Rustock and Kelihos botnets.

Microsoft used a sinkhole operation to gain control of the C&C servers and render them harmless to PC users. In a 25 March posting on The Official Microsoft Blog, Richard Domingues Boscovich, senior attorney for Microsoft’s Digital Crimes Unit, said that for Operation b71, “we focused on botnets using Zeus, SpyEye and Ice-IX variants of the Zeus family of malware. Our goal was a strategic disruption of operations to mitigate the threat in order to cause long-term damage to the cyber-criminal organization that relies on these botnets for illicit gain.”

Boscovich also admitted that Operation b71 was not a clean sweep of the botnet operation.

“We don’t expect this action to have wiped out every Zeus botnet operating in the world,” he wrote. “However, together, we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cyber-criminal underworld for quite some time.”

A similar issue arose in another recent botnet takedown. Late last month, officials with security software maker Kaspersky Lab announced the takedown of the Kelihos – or Hlux – botnet, in a sinkhole operation that also included Dell SecureWorks and other security players. However, some security experts in the days afterward noted that they were still seeing new versions of Kelihos in the wild.

Kelihos had initially been taken down in September 2011, but a new version was found earlier this year. After the second takedown, security experts at Kaspersky noted that its resurgence after the September operation indicated it would be difficult to completely eliminate Kelihos, and warned that it could rise again.

How well do you know Internet security? Try our quiz and find out!

Jeffrey Burt

Jeffrey Burt is a senior editor for eWEEK and contributor to TechWeekEurope

Recent Posts

Google Jarvis AI Extension Leaked On Chrome Store

Seemingly accidental leak reveals Google is developing Jarvis AI extension that can browse the web…

2 days ago

Amazon Mulls New Multi-Billion Dollar Investment In Anthropic – Report

Amazon is reportedly in talks to pump billions of dollars more into AI start-up Anthropic,…

2 days ago

FTX’s Caroline Ellison Begins Her Two Year Prison Sentence

Star witness for the US prosecution of FTX founder Sam Bankman-Fried, has begun her two…

2 days ago

More Layoffs For iRobot Staff After Abandoned Amazon Deal

After axing 31 percent of its workforce when it failed to be acquired by Amazon,…

3 days ago

Mozilla Foundation Confirms Layoffs, Eliminates Advocacy Division

Mozilla Foundation axes 30 percent of its staff, and is eliminating its Advocacy Division that…

3 days ago

Google To Make MFA Mandatory Next Year

Improving security. Mandatory multi-factor authentication (MFA) is coming to the Google Cloud by the end…

3 days ago