Botnet gangs collaborate on malware

The criminal groups behind the Zeus and Avalanche botnets appear to have struck a deal to use each other's infrastructure
Written by Tom Espiner, Contributor on

Two criminal groups are collaborating to promote malware, according to botnet researcher Jose Nazario.

The anonymous group behind the Avalanche botnet is pushing Zeus, malicious code from another unnamed group, Nazario told ZDNet UK on Wednesday.

"We are seeing Zeus and Avalanche working together to promote growth," Nazario said. "We appear to be seeing one of the groups, Avalanche, promoting Zeus malware."

Nazario, senior researcher for security company Arbor Networks, said the firm had seen the Avalanche botnet spamming out Zeus code. Zeus is a banking Trojan, designed to steal information, whereas the Avalanche botnet is used mainly to host phishing sites.

Nazario said Arbor researchers were surprised when they first saw the two groups working together, but their collaboration made sense.

"It threw us for a loop, confused us for a second," Nazario said. "[But] they don't directly compete, and they both have good market positions, so they can grow each other."

The Zeus botnet is at least tens of thousands of computers strong, Nazario said.

Vincent Hanna, an investigator for anti-spam organisation the Spamhaus Project, told ZDNet UK on Friday that the two groups are using each other's infrastructure on a commercial basis.

"There are people who supply botnets, and there are people who 'rent' capacity on these botnets," Hanna said in an email interview. "We see that the same viruses are emitting mails that benefit [the] different groups, either through spammed URLs or attached malware."

In another novel development, the latest Zeus variant uses Amazon's EC2 cloud computing infrastructure to host its its command and control functionality, CA researcher Methusela Cebrian Ferrer wrote in a blog post on Thursday.

"The Zeus bot variant injects code into the system processes (such as svchost.exe) and connects to its cloud-server for configuration of the master for its criminal activity," Ferrer wrote.

The Zeus variant is being spammed out in fake Christmas cards, the researcher added.

Editorial standards