Trusteer Finds Massive Zeus Botnet of U.K. PCs

Researchers at Trusteer have uncovered a large botnet of 100,000 computers built using a variant of the Zeus malware.

Almost all of the infected bots are in the United Kingdom, according to Trusteer. After infecting the computers with Zeus 2, the botnet pilfered all kinds of user data, ranging from log-in information for banks to credit and debit card numbers and browser cookies.

Trusteer discovered the breadth of the botnet after gaining access to the botnet's drop servers and command and control center, and is sharing its findings with U.K. law enforcement agencies.

"This is just one out of many Zeus 2 botnets operating all over the world," said Amit Klein, Trusteer's chief technology officer, in a statement. "What is especially worrying is that this botnet doesn't just stop at user IDs and passwords. By harvesting client side certificates and cookies, the cybercriminals can extract a lot of extra information on the user that can be used to augment their illegal access to those users' online accounts.

"Coupled with the ability to remotely control users' machines, download data and run any file on them, this means that the fraudsters can insert partial or complete Internet pages into a live Web session, enabling to inject transactions at will or extract even more data from the hapless victims," he added.

According to Trusteer, the botnet's command interface allows three main functionalities. One is the ability to monitor the botnet’s growth with statistics and graphs that show the total number of bots, their distribution, newly added bots, count of active bots, etc. The other is a search function on all traffic generated by the bots.

The botnet captures all HTTP and HTTPS traffic from infected computers and stores it in a central MySQL database, the researchers found. The search tool allows the crew to pull information from that database, such as credentials for a specific institution. The final piece of functionality allows criminals to push updates and other executables to specific bots or to the entire botnet.

To Klein, the botnet is another example of regional malware attacks, with cyber-criminals launching targeted and segmented attacks on users one day and then moving onto another regional bank as the previous institution ramps up defenses.

"It's important to realize that, despite its size, this is just one of many Zeus botnets operating all over the world," said Mickey Boodaei, Trusteer's CEO, in a statement. "Its size and controllable actions are a clear demonstration of the increasing sophistication of cybercriminal gangs and how they can harness the power of drive-by downloads, spam and general phishing trawls to create such a large swarm. Zeus has become one of the most prevalent botnet Trojans in the history of online fraud. … Banks need to continue implementing multiple layers to detect, resist, and de-activate malware attacks and tightly integrate these layers together."