Botnet gangs collaborate on malware

Botnet gangs collaborate on malware

Summary: The criminal groups behind the Zeus and Avalanche botnets appear to have struck a deal to use each other's infrastructure

TOPICS: Security

Two criminal groups are collaborating to promote malware, according to botnet researcher Jose Nazario.

The anonymous group behind the Avalanche botnet is pushing Zeus, malicious code from another unnamed group, Nazario told ZDNet UK on Wednesday.

"We are seeing Zeus and Avalanche working together to promote growth," Nazario said. "We appear to be seeing one of the groups, Avalanche, promoting Zeus malware."

Nazario, senior researcher for security company Arbor Networks, said the firm had seen the Avalanche botnet spamming out Zeus code. Zeus is a banking Trojan, designed to steal information, whereas the Avalanche botnet is used mainly to host phishing sites.

Nazario said Arbor researchers were surprised when they first saw the two groups working together, but their collaboration made sense.

"It threw us for a loop, confused us for a second," Nazario said. "[But] they don't directly compete, and they both have good market positions, so they can grow each other."

The Zeus botnet is at least tens of thousands of computers strong, Nazario said.

Vincent Hanna, an investigator for anti-spam organisation the Spamhaus Project, told ZDNet UK on Friday that the two groups are using each other's infrastructure on a commercial basis.

"There are people who supply botnets, and there are people who 'rent' capacity on these botnets," Hanna said in an email interview. "We see that the same viruses are emitting mails that benefit [the] different groups, either through spammed URLs or attached malware."

In another novel development, the latest Zeus variant uses Amazon's EC2 cloud computing infrastructure to host its its command and control functionality, CA researcher Methusela Cebrian Ferrer wrote in a blog post on Thursday.

"The Zeus bot variant injects code into the system processes (such as svchost.exe) and connects to its cloud-server for configuration of the master for its criminal activity," Ferrer wrote.

The Zeus variant is being spammed out in fake Christmas cards, the researcher added.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Maybe its about...

    Time these cloud service providers start to vet their customers or at least monitor there activities for a unspecified set period of start time, because their's simply to much power & bandwidth on tap to turn a blind eye to, not to mention operations like this when scaled up would potentially impede other cloud user's.