Met Police: UK botnet command server taken out

The command-and-control server was used with a botnet that targets UK banking customers and businesses, according to security firm Trusteer
Written by Tom Espiner, Contributor on

An Eastern European command-and-control server for a botnet that targets UK banking customers and businesses has been taken down, according to a senior Metropolitan Police source.

The server, which was being used to run a Zeus 2.0 botnet consisting of more than 100,000 compromised machines, is no longer a threat, the Met source told ZDNet UK on Wednesday. The botnet was being used to harvest and store UK user communications made through web browsers, and gathered credit card numbers and other banking credentials, according to security company Trusteer, which discovered the botnet.

"We are aware of an allegation," the Met said in a statement. "The Met's Police Central eCrime Unit are working with UK Payments and Trusteer; enquiries are underway."

The Police Central eCrime Unit (PCeU) is working with payment card industry group Apacs and mitigating the threat of numerous fraudulent identities being used to perpetrate financial crime, the senior police source said.

"They're not just capturing online banking information; they're capturing information on everything you do," said Trusteer chief executive Mickey Boodaei. "All of the information goes into a database, which has search capabilities similar to Google as part of an interface to the database."

Trusteer gained access to the command-and-control server during its own investigation of the botnet, according to Boodaei. Command-and-control servers other than the one that was taken down may still be operational, he noted.

Between 60-70GB of data had been captured by the criminals, including banking details, credit card numbers and passwords and logins for both commercial and business applications, Boodaei added. The searchable database would have allowed the criminals to build profiles of users to perpetrate more crime, he said.

"This is a very powerful tool to target specific users; it allows them to build various fraud scenarios," said Boodaei. "You can build a profile of how a user accesses a bank account, transactions, what they are doing on their balance. Combined with information on Facebook, [which is also being harvested], they can call a bank and answer questions about a specific user."

The criminals were able to retrieve login details for enterprise applications, which could have allowed them to penetrate specific companies and steal information, he said.

The criminals mainly used drive-by downloads — or malware hosted on compromised websites — to infect the compromised machines with the Zeus 2.0 a variant of the Zeus data-stealing Trojan. The Trojan changes signatures each time it is repacked in an effort to circumvent antivirus protections.

The search facility on the database was sold as part of the kit used to build the Zeus variants, said Boodaei.

The exploit allows criminals to view all communications made through a web browser, including communications encrypted with HTTPS. The malware sitting in the browser sees all outgoing traffic before it is encrypted, and all incoming traffic after it is decrypted, said Boodaei.

The botnet has fast-flux capabilities, meaning the data could have been transferred to a different command-and-control server. Of the compromised computers, 98 percent were located in the UK, Boodaei added.

Trusteer announced that it had discovered two separate botnets targeting the UK at the beginning of July. Boodaei said on Wednesday that Trusteer is currently tracking five or six different botnets.

Editorial standards