In McAfee Labs we keep a close eye on the Zeus/Zbot/Gamover botnet malware that is responsible of thousands of samples we gather each day. The following graph shows the total number of Zbot samples submitted to McAfee Labs in recent months.
For a couple of weeks, McAfee Labs has followed a global Zbot campaign, in which payloads have been used to steal credentials. Between the end of March and April 3, the amount of bots connected to the botnet ranged between 26,000 and 41,000.
The following map and table are based on the data of April 2. Only countries with more than 80 bots are highlighted:
The top 10 countries infected with the data-stealing malware:
Country Number of Bots
1. United Kingdom 6,694
2. India 4,820
3. South Africa 3,472
4. China 1,197
5. Indonesia 1,175
6. South Korea 1,034
7. Italy 1,029
8. United States 999
9. Malaysia 958
10. Taiwan 664
By the Numbers
The statistics in the following botnet control screen show some interesting details around the most targeted CPUs and operating systems.
The 32-bit CPU architecture is targeted about three times more than 64-bit systems. Windows 7 is the leading operating system, closely followed by Windows XP.
When we started monitoring the botnet, the average number of bots connected to the botnet was 34,461. Around April 1, the number of bots decreased to 26,836. Immediately thereafter, we saw a successful campaign to update the number of bots, with the botnet reaching 41,820 bots. In the United Kingdom, for example, the number of bots grew by 2,000 to 8,663 infected hosts.
The botnet control server hosted at hxxp://vodrasit.su was set up around the beginning of March, although the team behind this was not very careful in guarding the root directory of their server:
The malware used to get the bots connected to the control server is called Jolly Roger. This kit has been available on the underground market since October 2013. Security blogger Kafeine offered an excellent overview in his post about this kit.
During the botnet campaigns, we found a sample at hxxp://merdekapalace.com/jr.exe
In a forum in March, “Silent Riot” posted an update on Jolly Roger that announced support for hijacking Bitcoin wallets:
On March 13, Silent Riot mentioned a bug and an update:
The malware steals credentials from various programs on a user’s computer. The harvesting of credentials can be set up per country or campaign. In this case the botnet harvested data on http/https, FTP, RDP, email (SMTP/POP), and certificates:
The preceding overview shows the type of logs available; the count, the number of lines with harvested credentials; and the size of the logs. For example, 153 RDP credentials were harvested during the month’s campaign. That is not the number of unique sites or links; in some cases the same links are harvested multiple times.
An example of a log file:
During our investigation, we found thousands of leaked social media accounts, webmail, corporate and government email-accounts, RDP sessions into companies, and more. We have reported many of these to CERTs and law enforcement. In one case, a law enforcement agency confirmed that the leaked credentials were already being abused to commit banking fraud.
The control server is no longer available, but we will keep a close watch on this particular botnet to see if it resurfaces.
We would like to thank Kafeine in particular for his help, as well as the many CERTs and law enforcement agencies that responded quickly to our investigation and took actions to inform victims.