In February 2011, we successfully collaborated with CDMON, a registrar, to gain control of a ZeuS botnet command-and-control (C&C) server, thereby rendering it ineffective. Our success gave us the opportunity to capture valuable research information about the bot (compromised computer) types under its control.
ZeuS is a notorious crimeware toolkit that is prolifically used by cybercriminals to instigate monetary and online banking information theft.
ZeuS does not, however, refer to a single botnet. Instead, it refers to a collection of botnets created and controlled by multiple cybercriminals using variations of the same toolkit and malware family—ZeuS.
The information we collected will help us in our mission to better protect users while providing valuable insights into the types of information cybercriminals steal.
In our sinkholing activity, we found that over 95 percent of the inbound requests to the C&C server came from South America, particularly from Mexico. This indicates that the bot may have originated from Latin America or was created using the Spanish language. Its creator may have decided to target banks in Mexico and Chile as well, as these often still used single-factor authentication to secure their customers’ accounts.
While this particular botnet targeted Mexico, it’s worth noting that there is at least one comparable botnet targeting every major developed nation in the world.
Of course, some countries are more likely to be targeted than others—population, Internet access, language, social trends, and other factors have an effect. Remember, all that stands between a cybercriminal and a botnet targeting a country of his choice is a few hundred dollars worth of toolkits.
For further information regarding the data we analyzed and how we successfully sinkholed this botnet’s C&C server, read our technical paper, “Sinkholing Botnets.”