February 3, 2011 By Amit Klein 3 min read

Despite having been around for several years, Zeus continues to be a thorn in the side of the IT security industry and its business users mainly because of its constantly-evolving profile. The ease with which black hat hackers can develop the malware for new and varied applications partially drives this evolving profile.

Our ongoing research here at IBM confirms the evolution of Zeus, with a growing number of websites that host Zeus variants as well as the rising volume of networks hosting command-and-control (C&C) servers for the Zeus botnet swarms. Over the last four months, IBM’s research teams have been analyzing the geographical IP distribution of sites hosting Zeus configurations.

The Geographical Breakdown of Zeus

Our research shows that the United States (39.8 percent), Russia (21.6 percent) and Ukraine (6.5 percent) were the top three host countries, with Eastern Europe accounting for 32 percent of Zeus configs. That doesn’t mean other countries are off the hook: China, Malaysia, Iraq and Canada, along with Germany, the United Kingdom and the Netherlands, are also responsible for websites with hosted Zeus environments.

Our research team has also analyzed which organizations/service providers have the dubious distinction of ranking high in the Zeus C&C site stakes. Analyzing 20 of the organizations that account for over half of the C&C controllers reveals that five of the 20 service providers — Informex, PAN-SAM Ltd., LLC Management and Information, S.Point and Delta-X LTD — are on the Ukrainian networks, responsible for 16 percent of Zeus C&C servers.

Another five service providers are on the U.S. networks and responsible for 14 percent of Zeus C&C systems, with GoDaddy.com accounting for a hefty 5 percent of American Zeus C&C sites. Based on this research, our analysts tested the accessibility of sites used as a Zeus C&C platform.

The analysis of IP-accessible sites over the last 80 days makes for some interesting reading: 29 percent were found to be U.S. Websites, with Ukraine (17 percent) and Russia (14 percent) once again joining the United States in the Zeus hall of shame. Delving into the research reveals some surprising data. For instance, the United Kingdom accounts for 6 percent, and the rising technology nation of Poland account for 5 percent of IP-accessible C&C systems. Equally surprising was the inclusion of Bosnia and Herzegovina on the charts with 3 percent — no mean feat for a country of just 3.8 million people.

Putting the IT Security Industry on Notice

More than anything, these detailed statistics show that the global Internet is becoming highly diversified very quickly, but the increasing usage of automated registration and servicing systems on the Internet means that human operator monitoring of hosted systems has become less frequent in those countries with good Internet access. While it drives the cost of hosting downward, the lack of monitoring makes it all too easy to register and set up a C&C and/or Zeus-infected website plus allied systems and use the platform to infect the general Internet-user community. IBM will continue to monitor and report the continuing evolution of Zeus and its many variant infections, detailing the results for our many friends in the IT security industry.

Thanks to Tanya Shafir from the IBM Security Trusteer research team for providing the data for this post.

More from Fraud Protection

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today