The UK security firm Prevx has released details into a major botnet shutdown that netted the firm an unusual find—a command-and-control server loaded with the private details for some 160,000 individual

computers and/or persons. Although that server has since been shut down and the appropriate authorities notified, the server's repository of data is a first-rate example of how data from a

melting pot of sources ends up indiscriminately fused together.

The report in question comes courtesy of the Associated Press; the private information Prevx found may or may not have been drawn from computers infected by the Zeus malware the company details in a blog report from Sunday, March 15. In its blog entry, Prevx describes Zeus as brand-new; the company tracked the malware in action as it spread across a number of locations worldwide, as shown below:

Based on the fact that both the AP story and blog post make reference to a data breach at a "mid-size financial institution" (possibly Metro City Bank), both seem focused on the same threat. In many cases, breaching a personal or work PC is merely one step towards a larger prize; Prevx security researchers recovered login/password data to banking credentials and personally identifiable information (PII) for customers at the aforementioned Georgia bank as well as login/access details for state health insurance systems in Texas and a government human resources site in North Carolina. The company states it notified appropriate authorities in all cases, including state government officials and the FBI.

As for Zeus, Prevx describes it as available for just $4,000, a price which also buys you an incorporated rootkit. The new Olympian malware has multiple tricks up its sleeve, and leverages its rootkit to do end-runs around current antivirus/antimalware solutions. Zeus also includes what Prevx calls "advanced 'form injection capabilities," which can be used to modify or seamlessly insert seemingly authentic requests for additional data. Such capabilities could be used, for example, to make a banking website appear to request one's login, password, and social security number rather than simply the login/password.

Prevx's blog post makes the rather disheartening claim that "today no single vendor (ourselves included) and no single product, maybe even all security vendor and products together, will stop more than 60% or so of modern malware." The number may or may not be accurate, but it's definitely true that stories of payment processor data breaches are just one example of how customers are left wondering if they can trust the system that supposedly serves them.

Joe Stewart of SecureWorks told the AP that the threat such malware poses is growing all the time. "The level of amateurness [of the malware] speaks to how widespread it is," Stewart said. "Literally anybody with a little bit of computer knowledge at all, if they have the criminal bent, can get access to one of these Trojans and get it out there and start stealing people's data."