Last week we learned that Microsoft managed to disrupt a major botnet powered by the infamous ZeuS Trojan. However, it turns out that they didn’t sinkhole all the command and control (C&C) servers, as three of them escaped the long arm of the Redmond company.
FireEye researchers analyzed the botnet targeted by Microsoft and provided some interesting information. It turns out that out of the 156 different C&C domains that the botnet used, Microsoft took out only 147 in Operation B-71.
Out of the nine C&Cs that remain, a couple were appointed as being dead because they didn’t resolve to any IP address, a number of four were abandoned by the cybercriminals, and the other three are still active.
From these three servers, isdfsrttyqza.c0m.li, mylemain.com and stockli.us, zombies are still receiving commands.
“I am not sure why the MS Digital Crime Unit has not been able to sinkhole all the CnC domains. Their main concern should be the three active domains. Without these domains completely destroyed, this botnet can not be officially declared as dead,” FireEye’s Atif Mushtaq wrote.
“I hope MS will take over these leftover domains soon in order to put that last nail in the coffin.”
This is not the first time the takedown of a botnet is not a complete success. At the end of March 2012, Kaspersky disabled 116,000 bots part of the new Kelihos botnet.
Two days later, Seculert experts found that Kelihos was alive and well, infecting computers using a Facebook worm that spread by advertising a so-called photo album.
Back in February, when Kaspersky came forward to reveal that the Kelihos botnet that was taken down in the fall of 2011 was resurrected, Microsoft rushed to clarify that it was a completely new one, not the one disrupted by them.
Hopefully, now they will also provide details regarding the remaining 3 servers.
We have reached out to Microsoft representatives to see if we can get some clarifications regarding the active C&Cs and we’ll return with more details once they are made available.
0 comments:
Post a Comment