Troyak shutdown signals short-lived win against Zeus

Share this article:
The takedown of a rogue internet service provider known as “AS Troyak,” which was linked to the prolific Zeus botnet, caused a massive, albeit brief, drop in the number of active Zeus command-and-control (C&C) servers this week before attackers reconnected their criminal operations.

Troyak, believed to be based in Eastern Europe, is the upstream provider for the top six Zeus-hosting ISPs, according to Zeus Tracker, a website that tracks the botnet. Early Tuesday morning, Troyak was suddenly taken offline, causing a large number of Zeus C&C servers to also lose connectivity. With their internet connection shut off, attackers could not send instructions to compromised machines or receive stolen information from them.

There are many botnets of computers infected with the notorious data-stealing trojan Zeus, known for stealing bank account information from its victims. One recently discovered Zeus botnet was made up of infected computer systems at nearly 2,500 organizations and government agencies worldwide.

According to Zeus Tracker, the number of active Zeus C&C servers dropped from 249 to 181 on Tuesday night, indicating that up to 25 percent of Zeus botnets were briefly dismantled as a result of the Troyak shutdown.

“Definitely, it was a victory,” Sean Brady, product manager in the identity protection and verification group at RSA, told on Thursday.  “It was a nice taste of what it could look like when a large scale win is achieved.”

But the victory did not last long. Less than 24 hours after the ISP was taken offline, Troyak operators found new upstream service providers, so Zeus controllers regained connectivity to their drone machines, Mary Landesman, senior security researcher at web security provider ScanSafe, recently acquired by Cisco, told on Thursday.

Landesman said she hopes Troyak's new upstream providers also sever ties and take the ISP offline. If that happens, Troyak operators probably would be able to find new providers, but at some point the costs of having to switch providers multiple times could deter them from doing business with Zeus.

“If they [Troyak] do have legitimate customers, those customers aren't going to be tolerant of these types of outages,” she said. “It should put a great deal of financial pressure on Troyak to sever their ties with the Zeus controllers and no longer provide internet service or hosting services for them.”

Currently, it is unclear who was behind the shutdown effort, but researchers believe law enforcement likely played a role.

It is difficult to go after individual malware domains or C&C servers because they can always find another host, experts said, adding that by targeting service providers, takedown efforts can have more of an impact.

“Right now, they are trying to fight the infrastructure and get wholesale wins, rather than trying to fight individuals or criminals,” Brady said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

LEADS Act addresses gov't procedure for requesting data stored abroad

LEADS Act addresses gov't procedure for requesting data ...

Senators introduced the legislation last week as a means of amending the Electronic Communications Privacy Act (ECPA).

Report: Intrustion prevention systems made a comeback in 2013

Report: Intrustion prevention systems made a comeback in ...

A new report indicates that intrusion prevention systems grew 4.2 percent in 2013, with growth predicted to continue.

Mobile device security sacrificed for productivity, study says

Mobile device security sacrificed for productivity, study says

A Ponemon Institute study, sponsored by Raytheon, revealed that employees increasingly use mobile devices for work but cut corners and circumvent security.