Security firm Trusteer uncovered a 100,000-strong botnet swiping banking credentials, credit card information and other data from Windows users.
Researchers at Trusteer have uncovered a large botnet of 100,000 computers
built using a variant of the Zeus malware.
Almost all of the infected bots are in the United
Kingdom, according to Trusteer. After
infecting the computers with Zeus 2, the botnet pilfered all kinds of user
data, ranging from log-in information for banks to credit and debit card
numbers and browser cookies.
Trusteer discovered the breadth
of the botnet
after gaining access to the botnet's drop servers and command
and control center, and is sharing its findings with U.K.
law enforcement agencies.
"This is just one out of many
Zeus 2 botnets
operating all over the world," said Amit Klein,
Trusteer's chief technology officer, in a statement. "What is especially
worrying is that this botnet doesn't just stop at user IDs and passwords. By
harvesting client side certificates and cookies, the cybercriminals can extract
a lot of extra information on the user that can be used to augment their
illegal access to those users' online accounts.
"Coupled with the ability to remotely control users' machines, download
data and run any file on them, this means that the fraudsters can insert
partial or complete Internet pages into a live Web session, enabling to inject
transactions at will or extract even more data from the hapless victims,"
According to Trusteer, the
botnet's command interface
allows three main functionalities. One is the
ability to monitor the botnet's growth with statistics and graphs that show the
total number of bots, their distribution, newly added bots, count of active
bots, etc. The other is a search function on all traffic generated by the bots.
The botnet captures all HTTP and HTTPS traffic from infected computers and
stores it in a central MySQL database, the researchers found. The search tool
allows the crew to pull information from that database, such as credentials for
a specific institution. The final piece of functionality allows criminals to
push updates and other executables to specific bots or to the entire botnet.
To Klein, the botnet is another example of regional malware attacks, with
cyber-criminals launching targeted and segmented attacks on users one day and
then moving onto another regional bank as the previous institution ramps up
"It's important to realize that, despite its size, this is just one of
many Zeus botnets operating all over the world," said Mickey Boodaei,
Trusteer's CEO, in a statement. "Its
size and controllable actions are a clear demonstration of the increasing
sophistication of cybercriminal gangs and how they can harness the power of
drive-by downloads, spam and general phishing trawls to create such a large
swarm. Zeus has become one of the most prevalent botnet Trojans in the history
of online fraud. ... Banks need to continue implementing multiple layers to
detect, resist, and de-activate malware attacks and tightly integrate these