In association with heise online

11 May 2009, 17:08

A Zeus botnet self-destructs

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

According to information which only recently came to light, in early April a botnet consisting of an estimated 100,000 PCs apparently destroyed itself – as its control server sent out a command that made Windows inoperable. The botnet was based on the Zeus botnet tool kit, which allows criminals to infect and subsequently remotely control users' PCs. The Zeus tool kit can be purchased for only a few hundred dollars

According to the analyses by S21sec specialists, a drone deletes the HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE\Software and HKEY_LOCAL_MACHINE\System Windows registry paths as soon as it receives a kill command from the server. The drone then overwrites the virtual memory of Windows with zeros. This makes the operating system inoperable.

Such self-destruct mechanisms don't appear to be a new thing with bots, and especially not with banking trojans. In the case of banking trojans, after a criminal has obtained the victim's access credentials and/or PINs and TANs the mechanism cuts victims off from the internet to prevent them from monitoring the subsequent transactions on their accounts. In addition, it allows criminals to at least partially remove the traces of their activities – although the malware's binaries often remain on the computer.

Several possible scenarios have been developed to explain the complete self-destruction. It could be that the Zeus control server was taken over by a hostile gang. So far, however, the information about the destruction is exclusively based on the observations made by Swiss anti-spam activist Roman Hüssy. Hüssy operates the ZeusTracker website, monitoring several Zeus control servers used by various gangs of criminals. Hüssy says he observed a ZeuS server he was monitoring send out the kill command to the 100,000 bots on the 8th of April. In interviews with the US media, Hüssy ventured the guess that the botnet operators may have destroyed their own botnet by accident. According to the activist, the operators tend to be neither very educated nor very capable people.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit