Three command-and-control (C&C) servers, which are feeding instructions to computers infected with the Zeus trojan, still are operational despite a Microsoft-led effort to disable the botnet, according to researchers at security firm FireEye.
Late last month, US Marshals led the raid on two hosting locations in the US, where they confiscated C&C servers and took down two key IP addresses in the process. In addition, as a result of the seizure, Microsoft assumed control of some 800 domains involved with the servers, a process known as sinkholing.
Atif Mushtaq, a senior staff scientist at FireEye, said in a blog post this week that the company has tracked more than 150 domains used by the botnet. But researchers found that despite the dismantling, three domains associated with Zeus remain live.
Botnets sometimes are able to stay alive by hiding behind fast-flux, or constantly changing, domains, but Mushtaq seems perplexed as to exactly why these three have been so resilient.
"[Microsoft's] main concern should be the three active domains," Mushtaq wrote. "Without these domains completely destroyed, this botnet can not be officially declared as dead."
A Microsoft spokeswoman did not immediately respond to a request for comment.
This article originally appeared at scmagazineus.com
Copyright © SC Magazine, US edition
Issue: 315 | May 2013
Access CRN's extensive online resources including; email bulletins, community discussions and unique online news.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can log on to the CRN website or start posting comments on articles.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain '@crn.com.au' to your white-listed senders.