Monday, January 30, 2012

Attackers Moving Zeus Servers to Former Soviet Union TLD

Via Threatpost -

The groups of attackers that employ the Zeus toolkit for their scams and malware campaigns have long used sites in the .ru Russian TLD as homes for their botnet controllers. Security researchers and law enforcement agencies have had a difficult time making headway in getting these domains taken down, but now it seems that some changes in the way that the Russian organization in charge of the .ru domain is enforcing rules for fraudulent domains is forcing attackers to move to a long-forgotten TLD owned by the former Soviet Union.

Botherders tend not to be too picky about where they locate their command-and-control servers. Any domain and hosting provider that will leave them alone typically fits the bill. For the past few years, that description has fit many domains in the Russian TLD, as well as many others in smaller Eastern European countries that haven't dedicated a lot of resources to rooting out these C&C servers. Security researchers have known for a long time where the C&C servers are and have been exposing them online, and the attackers will change the location of those servers frequently in response to takedowns or other actions.

Now it appears that some of the Zeus attack crews are moving away from the .ru TLD altogether and migrating to the .su TLD, which was the property of the former Soviet Union. According to statistics on the Zeus Tracker site, three of the Zeus C&C servers with the longest uptimes are currently running on .su domains. Also, two of the C&Cs with the most files online are on .su domains.


Since the demise of the Soviet Union, the .su TLD has remained active and companies and organizations located in countried that were part of the Soviet Union are allowed to register domains using that TLD. But, because the Soviet Union no longer exists and there are a relatively small number of sites on the TLD, it has gone unnoticed. Attackers have shown a remarkable ability to find obscure TLDs and infest them with malware-serving domains or C&C servers in a short period of time, and the .su TLD is now having its moment in the sun.

No comments:

Post a Comment