Observations on Zeus botnet targets and activity over time
One of our interests at StopBadware is how attacker incentives and target selection morph over time. New research from the Delft University of Technology examines Zeus financial malware targets and attack volume over a period of several years. One particularly interesting finding:
“On average, across all Zeus botnets and attackers, code similarity is well over 90% from one attack to the next. This suggests code sharing, selling, or stealing among attackers...as well as low development costs. Interestingly enough, these do not translate into growing attack levels....the underground market for malware-as-a-service, often portrayed as making attacks cheaper to execute, is not driving the attack volume or the selection of targets.”
The full paper is available here. With permission from the paper’s authors (Samaneh Tajalizadehkhoob, Hadi Asghari, Carlos Gañán and Michel van Eeten), StopBadware's technologist and researcher Marie Vasek has shared some of her own observations below.
The above graph shows the number of active Zeus botnets over time. Microsoft takedown efforts managed to curb activity temporarily, but it quickly bounced back. The paper's authors measure the number of botnets by number of unique keys found in config files. Since Zeus is a commercially available malware kit, the key metric here is the number of botnets and NOT the number of bots (infected end devices).
These bots targeted 14,870 unique URLs corresponding to 2,412 unique domains. Most of these were banks (about ¾), but AV companies, news sites, webmail providers, and social networks were also targeted.
This graph shows the number of targeted URLs over time. (Note that the shape of the graph does somewhat parallel the shape of the botnet graph.) Targets follow a power law distribution. 15% of the domains account for 90% of the attacks. In other words, everybody wants to take down targets like HSBC and Google, et. al., but random local banks are only interesting to selective attackers.
That said, target popularity and bank size are not completely correlated, as the figure above shows. Big banks are targeted more than small banks, but when researchers look at only big banks, results vary.
“More than 83% of the inject codes targeting a particular URL are more than 90% similar, and only 1.71% of the inject codes are very different (less than 50% similar). On average, across all Zeus botnets and attackers, code similarity is over 90% from one attack to the next. This suggests some mechanism of code sharing or stealing among the attackers.”
Final numbers to consider: Each inject code is repeated on average 27 times, and 43% of all inject codes are repeated over 1,000 times.