Some of you may be aware that Microsoft this week went after a group of botnets. These botnets were created from the famous Zeus toolkit. This effort was part of so called Operation B-71.
When I heard this news, the first thing I wanted to find out was if these botnets have been on FireEye's radar. The answer is yes. Based on data collected from the FireEye MPC (Malware Protection Cloud), we have been detecting and protecting our customers from most of these malware.
There was one thing that caught my attention during this investigation. One botnet was able to partially recover from the takeover attempt. This particular zeus variant is known for rapidly changing its CnCs.
Recently, this botnet has been seen communicating like this:
POST /config.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Since Jan 2012 we observed around 156 different CnC domains actively used by this botnet. As part of Operation B-71 Microsoft took over most of these CnCs.
Here is the status of these CnC domains at the time of writing this article on March, 29 2012.
Active/alive domains = 3
Domain and IP both are alive and zombies are getting commands. List: isdfsrttyqza.c0m.li, mylemain.com and stockli.us
Dead domains = 2
There are two domains which are no longer resolving to any IP address.
List: updater.vpsq.net and zkhfwie2.com
Abandoned domains = 4
These domains are resolving to an active A address but CnC componet is no longer active.
List: 9iy.ru, ecommerceone.ru, enroll.hess.com and reflectivelayer.com.
Domains under the MS Control = 147
These domains are sinkholed and are pointing to two MS owned IP addresses 188.8.131.52 and
List: achyroransib.co, achyroransib.com, amersterin.co, amersterin.com, ........
I am not sure why the MS Digital Crime Unit has not been able to sinkhole all the CnC domains. Their main concern should be the three active domains. Without these domains completely destroyed, this botnet can not be officially declared as dead.
I hope MS will take over these leftover domains soon in order to put that last nail in the coffin.