The takedown of some of the Zeus botnet's command and control (C&C) servers has been welcomed, but with a warning that the threat has not gone altogether.
Talking to SC Magazine, Palo Alto Networks' security analyst Wade Williamson said Microsoft is a company with cross-border offices and therefore has the capability to carry out takedowns with intelligence from other organisations – making it one of the few firms able to take part in this sort of operation.
He said: “Zeus is different though, it is not a monolithic botnet like others that have been taken down, as they have been singular spammers and, upon taking down the infrastructure, worldwide spam fell by 50 per cent. Zeus is a kit where you set up a server and build your own botnet. So this will not diminish.
“Attackers have shifted gear as monolithic botnets sent spam but got so big that they were limited by their size, but the owners do not care as they want to use that as a selling point. With a banking botnet, they want it to be small.”
Microsoft reported the takedown of two C&C servers in the US this week and was monitoring 800 domains secured in the operation. Richard Domingues Boscovich, senior attorney at Microsoft Digital Crimes Unit, said that due to the unique complexity of the targets, unlike its prior botnet takedown operations, the goal was not permanent shutdown.
“Rather, our goal was a strategic disruption of operations to mitigate the threat in order to cause long-term damage to the cyber criminal organisation that relies on these botnets for illicit gain,” he said.
Asked about the takedown of the C&Cs and how they would have been detected, Williamson said there are lots of versions for Zeus, and more sophisticated operators will have controllers in different countries to make dismantling more difficult.
“Zeus also uses peer-to-peer (P2P) to bounce communication, so tracking a botnet is even harder,” he said.
“Taking down a botnet will become harder, because takedowns are disrupting rather than taking it away. Kelihos came back after it was taken down, but it was related to Waledac so it looks like it was written by the same person. Zeus and Spyeye merged and are now written by the same person too, although they were different companies that were competing with each other.”