The Zeus Trojan is back in the media spotlight once more, and for good reason. Last week the FBI’s Operation Trident Breach made worldwide headlines with over 100 arrests related to organized cybercrime operation activities in the US, UK, and the Ukraine. The arrests relate to Cybercriminals and money mules involved in stealing up to $70m from bank accounts through the use of the Zeus crimeware toolkit. The operation initiated by the FBI involved unprecedented partnerships between international law enforcement, such as the Netherlands Police Agency, the Security Service of Ukraine (SBU), and the United Kingdom’s Metropolitan Police Service. These arrests however are not the first related to use of the Zeus crimeware toolkit and in my opinion will not be the last. In November 2009, Symantec blogged about the arrest of two Zeus toolkit users in the UK.
Following on from these arrests there has been some questions about just how significant a blow this is to the Zeus threat landscape as seen today. It should be noted however that every arrest in relation to Cyber crimes is a step in the right direction. It must also be pointed out though that other Cybercriminal gangs or individuals are still out there and are using the Zeus toolkit to infect computer s with Zeus. It would be difficult to put a true figure on the amount of Cybercriminal gangs or individuals that exist today and use the Zeus toolkit for illegal activity, but it could easily be as many as 100 or more. The Zeus Tracker at present shows 156 command and control servers related to individual Zeus botnets to be online.
In a previous Symantec Zeus blog back in August 2009, we looked at the Zeus detection figures being seen by Symantec in the wild at that time and a breakdown of countries reporting Zeus infections. I thought it might be interesting to follow up on these figures and to see what they are so far in 2010.
Zeus detection heat map
As can be seen, some of these figures are a lot higher than previously seen. The spike in detections seen in August 2010 corresponds to a major Zeus spam campaign we observed at that time. The country breakdown of detections however has remained relatively similar. To see if Operation Trident Breach has made any significant impact on these figures, we will re-visit the figures in the next two to three weeks and will blog about our findings. So please stay tuned to our blog for updates.