Select Page

Sunbelt malware specialist Adam Thomas located a server being used as a drop for a Zbot/Zeus botnet. It contained over a gigabyte of text files of stolen information.

Yes, it is just another Zeus botnet and a relatively small one by comparison – 5,100 unique infected hosts – but, the list of affected organizations is a bit disconcerting.


(1.1 gigabytes of recovered data in text format)

Most of the infected hosts appeared to be home users, he said, but there were a large number of infected hosts inside of state and federal government agencies; Fortune 500 and 100 companies; drug companies and even banks.

He said: “It has been almost four years since Zbot/Zeus reared its ugly head and unfortunately it is still going strong, holding a high position on our top-10 detected threats list –

“Back in the early days, the bad guys were sloppy with their server configurations and security researchers were able to find and recover the data that had been pilfered by Zbot trojans. The criminals eventually caught on and actually began taking measures to protect the data that they were stealing.

“Every once in a while, however, we stumble on server misconfigurations where the miscreant has (apparently) accidentally allowed access to the collected stolen data. During the past few days, our research team has been monitoring just that.

“Of course, we’ve alerted law enforcement and are working to notify those who have been affected,” he said.

In November, police in England arrested a couple in Manchester in connection with a Zbot network. Zbot enables malicious operators to steal data, including bank passwords, credit card data, personal information and social networking site logins.

This “trojan” would be “Trojan-Spy.Win32.Zbot.gen.” In June it was the second most common detection in the Sunbelt ThreatNet system. ThreatNet consists of tens of thousands of VIPRE and CounterSpy users who have banded together to form an early warning system when a new malware outbreak is noticed.

The trojan isn’t hard to detect and Sunbelt Software offers a free removal tool here.

Thanks Adam.

Tom Kelchner