Delaware, USA – April 16, 2018 – Experts from Proofpoint, Abuse.ch and BrilliantIT intercepted control over the C&C infrastructure of one of the largest botnets that distribute malware. Botnet EITest appeared in 2011, and by now it has grown to more than 52 thousand hacked sites with installed backdoors. Attackers used the botnet to redirect users to malicious sites. Initially, it was used for trojan Zaccess spreading, but soon the operators began to rent the botnet to other attackers and since then EITest has been used in numerous campaigns to spread various malware and steal user credentials. This botnet was capable to redirect up to 2 million users to malicious sites per day. Security experts succeeded to uncover its C&C infrastructure and determine the key domain – stat-dns.com. Successful sinkhole operation allowed them to disrupt malicious redirects and identify all the hacked websites. Most of the infected resources are WordPress sites. Experts shared lists of sites with CERTs, and attempts to cleanup backdoored websites are still ongoing.
Attackers have not yet made any active attempts to regain control of EITest, perhaps they have already begun work on a new infrastructure and will try to connect to it previously compromised sites. To control the security of your resources that face public internet, you can use ArcSight and Web Application Security Framework, which allows your SIEM to detect breach attempts and malicious activity on the resource.