Some Zeus Bots Still Active After Microsoft Takedown, FireEye Says

Microsoft and partners last month were able to take control of most C&C servers associated with the Zeus botnet, but several domains are still alive and active, according to FireEye.

Microsoft officials last month said they and several partners were able to take over a major part of the infrastructure of the infamous Zeus botnet, shutting down control-and-command centers in Illinois and Pennsylvania as part of what they called Operation b71.

However, security experts are saying that while the operation effectively shut down the bulk of the bots, a few remain and are still in operation.

According to Atif Mushtaq, with security software vendor FireEye€™s Malware Intelligence Lab, Microsoft was able to take control of the majority of command-and-control (C&C) domains associated with the Zeus botnet, essentially rendering them ineffective. However, three domains remain in operation, including one Zeus variant that has partially recovered from Microsoft€™s efforts and that is known for quickly changing its (C&C), Mushtaq said in a post on the FireEye blog.

€I am not sure why the MS Digital Crime Unit has not been able to sinkhole all the CnC domains,€ he wrote. €œTheir main concern should be the three active domains. Without these domains completely destroyed, this botnet cannot be officially declared as dead.€

According to FireEye€™s count, since January, the company has found 156 C&C domains used by the Zeus botnet. In the Operation b71 €œsinkhole€ effort, Microsoft was able to take over 147 of the domains. FireEye listed two domains as dead and four others abandoned.

However, there are still three domains still active, and zombie PCs are still getting commands from them, according to Mushtaq.

Zeus malware used keylogging to access user names and passwords from a PC, enabling cyber-criminals to steal people€™s online identities. According to Microsoft officials, once a computer was infected with the Zeus malware, it would start keylogging when a user typed on the keyboard. Through that, the criminals were able to steal data relating to everything from financial institutions to e-commerce activity.

Microsoft officials estimated that about 13 million PCs worldwide were infected by the Zeus malware, including 3 million in the United States. The company filed a lawsuit March 19 in U.S. District Court against the people they claim have control of the domains and IP addresses linked to Zeus botnets. The lawsuit was part of a larger pattern by the software giant of using the courts to bring lawsuits against those running such operations, such as the Waledac, Rustock and Kelihos botnets.

Microsoft used a sinkhole operation to gain control of the C&C servers and render them harmless to PC users. In a March 25 posting on The Official Microsoft Blog, Richard Domingues Boscovich, senior attorney for Microsoft€™s Digital Crimes Unit, said that for Operation b71, €œwe focused on botnets using Zeus, SpyEye and Ice-IX variants of the Zeus family of malware. Our goal was a strategic disruption of operations to mitigate the threat in order to cause long-term damage to the cyber-criminal organization that relies on these botnets for illicit gain.€

Boscovich also admitted that Operation b71 was not a clean sweep of the botnet operation.

€œWe don€™t expect this action to have wiped out every Zeus botnet operating in the world,€ he wrote. €œHowever, together, we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cyber-criminal underworld for quite some time.€

A similar issue arose in another recent botnet takedown. Late last month, officials with security software maker Kaspersky Lab announced the takedown of the Kelihos€”or Hlux€”botnet, in a sinkhole operation that also included Dell SecureWorks and other security players. However, some security experts in the days afterward noted that they were still seeing new versions of Kelihos in the wild.

Kelihos had initially been taken down in September 2011, but a new version was found earlier this year. After the second takedown, security experts at Kaspersky noted that its resurgence after the September operation indicated it would be difficult to completely eliminate Kelihos, and warned that it could rise again.