It appears that Microsoft’s recent Zeus takedown attempt left some bots behind. Days after the company announced it had sinkholed the troublesome botnet, researchers say that there are still some C&C domains active.
FireEye Malware Intelligence Lab’s Atif Mushtaq is reporting that, despite a largely successful takedown, part of the botnet has recovered from the takeover attempt. FireEye claims that this part of the botnet works with a Zeus variant that is well-known for rapidly changing command and control(C&C).
FireEye reports that the operation resulted in Microsoft gaining control of 147 of 156 C&C domains. Of the nine remaining domains, six are either dead or abandoned and present no threat. However, three of those C&C domains evaded the sinkhole and are actively sending and receiving commands.
Mushtaq is not certain how the Microsoft Digital Crime Unit missed some of the C&C domains.
“Their main concern should be the three active domains,” Mushtaq wrote. “Without these domains completely destroyed, this botnet can not be officially declared as dead.”
This is the second time in the last week that the thoroughness of a takedown-attempt has been called into question. A similar situation arose recently when reports surfaced that the Kelihos bot remained active after a takedown and subsequent sinkholing of it. Kaspersky Lab, which was a major part ofthe takedown, contests this. They claim that the ‘resurfaced’ Kelihos, or Hlux as they call it, is an altogether new botnet, and its emergence was not unexpected.