Cutwail operators aim DDoS at Zeus competitors

Share this article:
Name.com, Facebook and Verizon are among the companies backing the newly-formed group.
Researchers at RSA noted the "battle of the botmasters" taking place.

Analysts detected operators of one botnet targeting another malware control hub via distributed denial-of-service (DDoS) attacks.

According to researchers at RSA, the “battle of the botmasters” took place when Cutwail "botmasters" inundated the infrastructure of another botnet using at least 300,000 infected machines at their disposal.

The firm began tracking the control server communications in mid-August.

On Thursday, a senior researcher at RSA FirstWatch Team going by the alias, “Fielder,” blogged about the occurrences. The researcher revealed that the DDoS attacks were aimed at competing Zeus command-and-control infrastructures.

Cutwail, the world's largest spam botnet, is often used to distribute malware, including the banking trojan Zeus, via exploit kits.

“Looking at the destination IP addresses under attack showed that each one has been related to Zeus and Zbot command-and-control hosts – suggesting that the malware authors are using the Cutwail framework to actively engage in attacks against other Zbot and Zeus command-and-control infrastructures,” Fielder wrote.  

On Friday, Chris Elisan, a principal malware scientist at RSA, told SCMagazine.com in a follow up interview that DDoS attacks were an easy way for saboteurs to stall another gang's operations with minimal effort.

“It's one way of trying to actively disable a certain attack group, because it's really hard to stop a DDoS attack,” Elisan said. “If they want to disable a certain operator, it's really easy for them to do that…You just need the IP address or domain of the target.”

Share this article:

Sign up to our newsletters

More in News

Instagram iOS and Android apps vulnerable to session hijacking

Two researchers wrote about the Instagram app for iOS and Android is vulnerable to session hijacking because both send unsecured information through HTTP.

Report: Hackers stole data from Israeli defense firms

A report by Brian Krebs detailed the intrusions, which occurred between Oct. 2011 and Aug. 2012.

Neverquest trojan targets regional banks in Japan

Symantec researchers found a new variant of the banking trojan.