Zbot: Cybercrime's New Super Infrastructure?Research Report Says Botnet Located Mainly in Ukraine and Russia
Researchers have watched a botnet composed mostly of compromised computers in the Ukraine and Russia become a growing hive of criminal fraud activity, playing a role in everything from ransomware and click fraud to spam bots and supporting stolen payment card marketplaces.
The botnet, called Zbot, has also been engineered to be extra robust, which could make it very hard to shut down, according to a new report from cyber threat intelligence company RiskAnalytics, which describes how Zbot has become the back-end infrastructure of choice.
Noah Dunker, RiskAnalytics' director of security labs, started tracking Zbot in mid-2014. He says researchers have seen botnets linked to malware and exploit kits, but Zbot appears to be servicing a huge variety of crimeware.
"This has a smorgasboard of various services that are being by the criminal underground," Dunker says.
Better, Stronger, Faster
Zbot uses many long-known techniques to make it robust, according to the new report. It employs fast flux, which allows a domain name to be pointed at a new IP address quickly. Fast flux has a legitimate purpose that helps with redundancy and load balancing, but cybercriminals use it to make their services harder to shut down. It's difficult to block malicious IP address when the addresses change every few minutes.
Fast flux has long been employed by botnet operators, but RiskAnalytics says Zbot also uses something called double flux: Infected endpoints also run DNS services for the fast flux network, which adds another layer of reliability.
The computers comprising the botnet are loaded with a range of tools: an Nginx web server, spam bots and more. Some of the tools are designed to spread malware, such as ransomware and credential stealers, while others are support tools that help maintain the botnet.
The crimeware domains that are hosted on Zbot change their IP addresses every two and a half minutes. "Over time, hundreds or thousands of IP addresses are used," RiskAnalytics' report says.
Those domains include no less than seven carding websites, where stolen payment card data is sold, and even two scammy websites selling underpriced agricultural and industrial equipment, the new report notes.
Nearly 84 percent of the compromised computers that are part of the fast flux infrastructure are in the Ukraine, with 12 percent in Russia, 3 percent Romania, with others around the world, the researchers say.
Surprising Amount of Crimeware
Wayne Crowder, director of threat intelligence for RiskAnalytics, says researchers were surprised at the amount of crimeware that Zbot supports. The research shows that malware campaigns thought to be separate actually linked back to Zbot.
"If you're a criminal and want to make sure that your stuff is going to stay up, you're going to buy the best infrastructure to hide your activity," Crowder says.
It's not clear how other cybercriminals get linked up with Zbot. Crowder says there isn't a lot of discussion on underground forums for how to rent time on Zbot.
The problem for security companies is figuring out how to quickly block domains and IPs that are part of the botnet. RiskAnalytics says it has developed a way to quickly find out about new bad IPs, which it distributes as a feed to its customers.
Fast flux has its advantages as far as redundancy, but it's also very noisy, Dunker says. RiskAnalytics monitors how the botnet's fast flux infrastructure rearranges the services it is hosting by watching the ever-changing DNS activity, or passive DNS observation.
"As soon as an IP address is seen resolving to one of the host names that we flagged for fast flux, it becomes part of the [block] list," Dunker says.