Malicious server used to propagate Zbot shut down

Share this article:
A criminal operation has been halted by the shutdown of a malicious server in the Cayman Islands, but attackers are probably now looking for a new home, researchers at a U.K. security firm said this week.

Prevx researchers recently discovered a site where the trojan Zbot had uploaded the FTP login credentials from more than 68,000 websites, including companies such as Bank of America, BBC, and Symantec. Since then, more than 20,000 additional FTP credentials were stolen. In addition, the stolen credentials started being used to inject malicious scripts on those sites, Jacques Erasmus, director of research at Prevx, told on Wednesday. But the attacker's server, based in the Cayman Islands, was shut down on Tuesday.

Up until Friday, when visiting a compromised website, users were being infected (by means of a drive-by download) with Zbot, a trojan that captures keystrokes to obtains login credentials and credit card information, Erasmus said. Once a user was infected, the trojan harvested FTP credentials and sent them back to the attack server.

This Monday, however, a second component of the attack was activated -- the infected computers began “calling home,” or communicating with the attack server in the Cayman Islands, Erasmus said. When they began calling home, FTP credentials were pushed to the infected computers, with instructions to attempt logging on to sites associated with the credentials (that is, websites whose FTP credentials were stolen) and -- if successful -- to inject them with malicious scripts.

“Since Monday it started infecting a lot of websites, embedding script in the websites,” he said. “Anyone who visits one of these websites will also get infected.”

One infected machine attempted to inject malicious scripts into 85 different domains in a five-minute period, Erasmus said.

He said that because the controlling server in the Cayman Islands is currently “dead,” no additional websites are being injected with malicious scripts. What remains is a lot of compromised websites that are now further propagating the Zbot trojan. Erasmus said that the big-name websites whose FTP credentials were stolen have all been contacted and those companies canceled the accounts that were harvested. 

Though the attack server is currently down, it looks like those responsible for the threat are trying to move their operations to a different server, Erasmus said.

“Similar servers are popping up and we are trying to figure out if this is the same group,” Erasmus said.
Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.