A Warning to the IT Security Industry: Zeus Continues to Evolve

February 3, 2011
| |
3 min read

Despite having been around for several years, Zeus continues to be a thorn in the side of the IT security industry and its business users mainly because of its constantly-evolving profile. The ease with which black hat hackers can develop the malware for new and varied applications partially drives this evolving profile.

Our ongoing research here at IBM confirms the evolution of Zeus, with a growing number of websites that host Zeus variants as well as the rising volume of networks hosting command-and-control (C&C) servers for the Zeus botnet swarms. Over the last four months, IBM’s research teams have been analyzing the geographical IP distribution of sites hosting Zeus configurations.

The Geographical Breakdown of Zeus

Our research shows that the United States (39.8 percent), Russia (21.6 percent) and Ukraine (6.5 percent) were the top three host countries, with Eastern Europe accounting for 32 percent of Zeus configs. That doesn’t mean other countries are off the hook: China, Malaysia, Iraq and Canada, along with Germany, the United Kingdom and the Netherlands, are also responsible for websites with hosted Zeus environments.

Our research team has also analyzed which organizations/service providers have the dubious distinction of ranking high in the Zeus C&C site stakes. Analyzing 20 of the organizations that account for over half of the C&C controllers reveals that five of the 20 service providers — Informex, PAN-SAM Ltd., LLC Management and Information, S.Point and Delta-X LTD — are on the Ukrainian networks, responsible for 16 percent of Zeus C&C servers.

Another five service providers are on the U.S. networks and responsible for 14 percent of Zeus C&C systems, with GoDaddy.com accounting for a hefty 5 percent of American Zeus C&C sites. Based on this research, our analysts tested the accessibility of sites used as a Zeus C&C platform.

The analysis of IP-accessible sites over the last 80 days makes for some interesting reading: 29 percent were found to be U.S. Websites, with Ukraine (17 percent) and Russia (14 percent) once again joining the United States in the Zeus hall of shame. Delving into the research reveals some surprising data. For instance, the United Kingdom accounts for 6 percent, and the rising technology nation of Poland account for 5 percent of IP-accessible C&C systems. Equally surprising was the inclusion of Bosnia and Herzegovina on the charts with 3 percent — no mean feat for a country of just 3.8 million people.

Putting the IT Security Industry on Notice

More than anything, these detailed statistics show that the global Internet is becoming highly diversified very quickly, but the increasing usage of automated registration and servicing systems on the Internet means that human operator monitoring of hosted systems has become less frequent in those countries with good Internet access. While it drives the cost of hosting downward, the lack of monitoring makes it all too easy to register and set up a C&C and/or Zeus-infected website plus allied systems and use the platform to infect the general Internet-user community. IBM will continue to monitor and report the continuing evolution of Zeus and its many variant infections, detailing the results for our many friends in the IT security industry.

Thanks to Tanya Shafir from the IBM Security Trusteer research team for providing the data for this post.

Tags: 
 |  |  | 
Amit Klein
CTO, Trusteer, an IBM company

As Trusteer’s CTO, Amit Klein is responsible for researching and introducing game changing technologies into Trusteer’s products, with particular focus o...
read more