In recent days, there have been new Zeus variants which update like Conficker. With the experience in analyzing and monitoring Conficker, Bkis has been tracking this Zeus botnet. According to our statistics, this botnet contains about 18,752 zombies in 153 countries, 34 percent of which are in the USA.
The percentage of zoombie distribution
Top 10 infected countries
When users access websites containing malware or visit legitimate websites controlled by hackers, a virus called W32.ZbotL.Worm (by Bkav) will be loaded onto users’ computers via vulnerabilities of IE, Firefox, Adobe or Flash Player, etc .
To maintain this botnet, Zbot drops a file infecting virus, W32.Licat.PE, onto the system. This virus attempts to infect executable files on the system. Each time these infected files are executed, the Licat’s code in the files will connect to the randomly generated domains which serves new Zbot’s update.
The top-level domains of these randomly generated domains are: .biz .com .info .org .net
Licat uses the time got by GetSystemTime function and applies algorithms to generate domains randomly. This algorithm is able to generate 1,020 random domains a day. When a Licat-infected file is executed, it will connect to 800 different domains (among those 1.020 randomly generated domains).
If one of these domains belongs to hacker, the new variants will be downloaded. Licat will check the signature in the file downloaded to know whether it is a new Zbot. If it is a new variant, this variant will be executed.
Zeus botnet working diagram
By setting up Honeypot and Rada system like what we do to monitor Conficker, we are able to give the exact number of zombies as well as to keep close track of this botnet’s development.
According to our statistics, this botnet is growing quite fast. We will continue to update the statistics in the next entries.
Le Minh Hung
Senior Malware & Security Researcher
Update: Lastest statistics, the number of zombies amounts to 20,553.