Three command-and-control (C&C) servers, which are feeding instructions to computers infected with the Zeus trojan, still are operational despite a Microsoft-led effort to disable the botnet, according to researchers at security firm FireEye.
Late last month, US Marshals led the raid on hosting locations where they confiscated C&C servers and took down two key IP addresses in the process.
In addition, as a result of the seizure, Microsoft assumed control of some 800 domains involved with the servers, a process known as sinkholing.
Atif Mushtaq, a senior staff scientist at FireEye, said in a blog post this week that the company has tracked more than 150 domains used by the botnet.
But researchers found that despite the dismantling, three domains associated with Zeus remain live.
Botnets sometimes are able to stay alive by hiding behind fast-flux, or constantly changing, domains, but Mushtaq seems perplexed as to exactly why these three have been so resilient.
"[Microsoft's] main concern should be the three active domains," Mushtaq wrote. "Without these domains completely destroyed, this botnet can not be officially declared as dead."
A Microsoft spokeswoman did not immediately respond to a request for comment.