Avalanche-Hosted Zeus Trojan Disrupted

While investigating an instance of the Zeus Trojan that was using the Avalanche bulletproof hosting botnet, PhishLabs discovered many of the domain names referenced in the Zeus configuration file had not yet been registered including the following four:

• eitaepiephohthieleibesha.com
• llakjshbeyrv3421jbs88xc.com
• nmbnxcbjbh3hbhbdhjb3l4kjbn.com
• nzytgero34xbhsbc8484kk.com

PhishLabs registered the domains and then pointed them to a server under our control and began logging requests. We analyzed the data and learned a number of interesting things.

This particular Zeus Trojan had infected approximately 270,000 systems. This is based upon the number of unique IP addresses and is only a rough approximation since IP addresses may change when using home broadband connections, and in some cases multiple systems may be behind the same IP address such is the case with a corporate gateway and some ISPs.

There was a broad geographic distribution of infected users. We were not able to determine the original infection source, but given the geographic distribution we suspect it was not a targeted email campaign, but used drive-by exploits or similar to infect any system that could be.

PhishLabs has reported the IP addresses of infected systems to our clients and have now redirected these domains to our friends at Shadow Server who are helping get the data out to the right service providers.