Tuesday, October 27, 2009

ZeuS and power Botnet zombie recruitment

As I have said on several occasions, ZeuS botnets is one of the more "media" (hence one of the best known and popular), more aggressive and criminal activity that has more advanced functions that allow phishing attacks, monitor the zombies in real time and collect all this information through different protocols.

These activities primarily aggressive propose methodologies to obtain confidential information from compromised computers for some of the variants that are part of the family ZeuS, now have a wide range of fake pages of banks and financial institutions exclusively for the collection of information through phishing.

Also the possibility of having a monitoring module through which the botmaster can be displayed in real time absolutely everything that is done on the PC zombie (navigation webmail services, banking, online chatting, etc.) poses a serious threat directly undermines confidentiality.

And although many may seem a trivial issue, the mere fact of knowing that your developer updated every version of ZeuS, since 2007, approximately once per month, is an important point that marks the reason for its popularity in the environment under .

But nevertheless, despite all this still doesn't seem to be valued at its true implications are implicit security activities, not only of ZeuS but of any of the alternatives crimeware that daily bombard the Internet with their criminal actions.

Perhaps what follows I will show is a key to understanding the true extent of crime that have this type of activity. This is a botnet ZeuS with a short life span, but with a large amount of zombies that swarm recruited in his headquarters under the tutelage of "dealer" waiting for orders.

The following screenshot shows the zombies recruited only in Russia, in this case by the botmaster logged under the name "russian". This information is obtained through the filtering option, limiting the search with the acronym of the country (UK).

Now ... one of the questions that perhaps many times we become the talk of botnets is what recruiting is the ability they possess? and although the response is relative might say that has no limits, or that the limit will be given in terms of the capacity of servers used by botmasters.

But, following the example above, we have a sufficiently specific about the power of recruiting has, in this case, the botmaster "russian".

With an activity of three (3) months with an amount of 24.830 zombies. Something like ZeuS almost 276 infections per day. And if we follow the logic, statistically speaking, the number could quadruple over the year.

Furthermore, the ability to manage a botnet via web, also means that can be administered several at once, ie several botmasters can use the same web application (in this case ZeuS) to control "their" zombies. Thus, the user "russian" possesses a significant activity. But we can also obtain information from their peers who are managing zombies under the same domain.

For example, the user "system" has recruited 10.184 zombies but over a period of 30 days. Approximately 335 zombies per day. All through a single botnet ZeuS. Can you imagine how many ZeuS how are you are In-the-Wild?

While less activity botmaster has only 34 zombies, but less than 1 hour.

In summary, irrespective of length of activity of one or another botnet, the recruitment rate is very high.

This also means that prevention mechanisms aren't sufficiently effective, and indeed a recent study shows clearly that the mechanisms are elusive ZeuS incorporating sufficiently effective against the mechanisms of detection of many current anti-virus solutions.

However, under a more rigorous, current malware self-defense mechanisms incorporate increasingly effective anti-virus doesn't mean that they aren't effective. Furthermore, not all pass through the security solution and much of the responsibility rests with the user and that, ultimately and in accordance with rigorous aspect, a system isn't infected itself.


Related information
ZeuS, spam y certificados SSL
Eficacia de los antivirus frente a ZeuS
Especial!! ZeuS Botnet for Dummies
Botnet. Securización en la nueva versión de ZeuS
Fusión. Un concepto adoptado por el crimeware actual
ZeuS Carding World Template. (...) la cara de la botnet
Entidades financieras en la mira de la botnet Zeus II
Entidades financieras en la mira de la botnet Zeus I
LuckySploit, la mano derecha de Zeus
ZeuS Botnet. Masiva propagación de su troyano II
ZeuS Botnet. Masiva propagación de su troyano I

Jorge Mieres

No comments: