Trend Micro “Sinkholes” C&C Server of Zeus Botnet
Trend Micro the anti-virus security firm, on March 31, 2011, declared that it killed, alternatively what it terms "sinkholed" one C&C (command-and-control) server of the Zeus network-of-bots.
Wrote Rainer Link and David Sancho, senior threat investigators at Trend Micro in their "Sinkholing Botnets" named white paper that by partnering with CDmon an outfit registering Web-domains from where cyber-criminals bought Zeus' domain name, the company was able to get its hands on the command-and-control server following which it rendered the server unproductive. Zdnetasia.com published this on March 31, 2011.
The investigators also wrote that by employing the above operation, Trend Micro also acquired precious data, which cyber-criminals were targeting.
For instance, when the company gleaned everything about the C&C system's Web-traffic, they found that of all the queries coming into the server, 95% arrived from the South American countries, especially Mexico. Further, the majority of the queries from Mexico arrived from its capital city, with Baja California and Jalisco the country's other cities following.
This goes to show that the origin of the Zeus botnet is possibly Latin America or that the Spanish language had been used for creating it, the investigators observed.
The investigators further observed that probably the Zeus builders decided for attacking banks in Chile and Mexico since those financial institutions frequently continued to employ single-factor authentication for clients' account safety.
Elsewhere, the investigators stated that since consistency lacked with respect to the targeted financial institutions as well as considering the infected PC's locations, it was evident that the bot-controller simply established one default configuration during the Zeus Trojan's dissemination within his local territory. That suggested that he wasn't yet skilled enough, the investigators added. Informationweek.com published this on March 31, 2011.
Eventually, according to the paper, the Zeus-tracing website that tracks over 500 Zeus command-and-control systems worldwide as also provides a blocklist for domain and Internet Protocols indicates that 44 or more active Zeus command-and-control servers exist within Russia, 35 within USA, 29 within Romania and 28 within Ukraine. This in turn indicates that despite Zeus morphing into SpyEye, its earlier rival, cyber-criminals continue to employ the unique Zeus-creating toolkit.
Related article: Trend Micro Detects Spam Mail Declaring World War III
» SPAMfighter News - 12-04-2011