Cyber Criminals from Eastern Europe has taken out a command and control server for a botnet that targeted banking customers mostly in UK. This was confirmed from UK Metropolitan Police. The server was used in running a Zeus 2.0 botnet of more than hundred thousands affected machines.

When and how was the crime reported?

This was reported last Wednesday, Aug 4th 2010 by the web security company ‘Trusteer’. The CEO of Trusteer, Mr.Boodaei said on Wednesday that Trusteer was currently tracking five or six different botnets. He also said that 98% of the compromised machines were located in the UK. Trusteer claimed that their research tem were able to gain access to the servers containing stolen information.

What is the action of the Metropolitan Police?

The Police Central eCrime Unit of the Metropolitan Police has opened an enquiry into the incident and is closely working with ‘Trusteer’ in the ongoing investigation. The Police Central eCrime Unit (PCeU) is aware of the potential threat of a large number of fraud identities which could be used in committing financial crimes. They are working closely with payment card industry group Apacs regarding this. IP addressed used supposedly by the criminals were handed over to the police by the Trusteer.

Are there any more potential threats?

Mickey Boodaei, The Chief Executive of ‘Trusteer’ issued in his statement that they are not denying the fact that there could be other botnet still operational other than the one taken down.

What are the relevant information the criminals got a hand on?

More than just the banking credentials, these people were tracking all the transactions by the users and were sending all these to a database which was also serving as a search engine. Their database would have all the details including banking details, credit card numbers and login id and passwords.This allows the criminals to make profiles of users to commit further crime. They will even be able to answer specific questions from the bank about a specific user with this information. They can also use the information available in facebook. They have even got a hold of the enterprise applications details with which they can get entry to specific companies. Since the botnet had fast-flux capabilities, the police is also looking at the possibility of data getting transferred to a similar but different server.

How was the crime tailored?

According to the CTO of Trusteer , Mr. Amit Klein, the original attack might have come in the form of e-mail attachments and downloads.

The malwares in the compromised websites were mainly used by these criminals to infect the machines with the Zeus 2.0. This is aTrojan variant. This uses technology to change signature each time when it is repacked making it easy to surpass antivirus software.

Mr. Boodaei confirmed that the database search facility used by these criminals were part of Zeus variant build kit. This allowed them to be able to view even encrypted communications through web browser. With the use of malware they were able to get the data without encryption.