Zeus evolution: Geographical attack locations

Despite having been around for four years, Zeus continues to be a thorn in the side of the IT security industry and its business users, mainly because of its constantly evolving profile.

This evolving profile is driven in part by the ease with which black hat hackers can develop the malware for new and varied applications, according to Amit Klein, CTO of Trusteer.

Ongoing research confirms the evolution of Zeus, with a growing number of Web sites that host Zeus variants, as well as the rising volume of networks hosting Command & Control servers for the Zeus botnet swarms.

Over the last four months Trusteer’s research teams have been analyzing the geographical IP distribution of sites hosting Zeus configurations.

Trusteer research shows that the US (39.8 per cent), Russia (21.6 per cent) and Ukraine (6.5 per cent) were the top three countries, with Eastern Europe accounting for 32.0 per cent of Zeus configurations.

That doesn’t mean other countries are off the hook, as China, Malaysia, Iraq and Canada – along with Germany, the UK and the Netherlands in the EU territories – are also responsible for Web sites with hosted Zeus environments.

The Trusteer research team have also analyzed which organizations/service providers have the dubious distinction of ranking high in the Zeus Command & Control (C&C) site stakes.

Analyzing 20 of the organizations that account for over half of the C&C controllers reveals that five of the 20 service providers – Informex, PAN-SAM Ltd., S.Point, LLC Management, and informationaland Delta-X LTD – are on the Ukrainian networks and responsible for 16 per cent of Zeus C&C servers.

Another five service providers are on the US networks and responsible for 14 per cent of Zeus C&C systems, with GoDaddy.com accounting for a hefty 5 per cent of American Zeus C&C sites.

Based on this research, our analysts tested the accessibility of sites used as a Zeus C&C platform.

The analysis of sites IP accessible over the last 80 days makes for some interesting reading, as 29 per cent were found to be US Web sites, with Ukraine (17 per cent) and Russia (14 per cent) once again joining the US on the Zeus hall of shame podium.

Delving into the research reveals some interesting data, such as the UK accounting for 6 per cent, and the rising technology nation of Poland accounting for 5 per cent of IP accessible C&C systems.

Equally surprising was the inclusion of Bosnia and Herzegovina in the ‘charts’ with three per cent – no mean feat for a country of 3.8 million citizens.

More than anything, these detailed statistics show that the `global Internet’ is fast becoming highly diversified, but the increasing usage of automated registration and servicing systems on the Internet means that human operator monitoring of hosted systems is become less frequent in those countries with good Internet access.

As well as driving the cost of hosting downwards, this has the worrying effect of making it all too easy to register and set up a C&C and/or Zeus-infected Web site plus allied systems, and using the platform to infect the general Internet user community.