Threat Management, Malware, Vulnerability Management

Troyak shutdown signals short-lived win against Zeus

The takedown of a rogue internet service provider known as “AS Troyak,” which was linked to the prolific Zeus botnet, caused a massive, albeit brief, drop in the number of active Zeus command-and-control (C&C) servers this week before attackers reconnected their criminal operations.

Troyak, believed to be based in Eastern Europe, is the upstream provider for the top six Zeus-hosting ISPs, according to Zeus Tracker, a website that tracks the botnet. Early Tuesday morning, Troyak was suddenly taken offline, causing a large number of Zeus C&C servers to also lose connectivity. With their internet connection shut off, attackers could not send instructions to compromised machines or receive stolen information from them.

There are many botnets of computers infected with the notorious data-stealing trojan Zeus, known for stealing bank account information from its victims. One recently discovered Zeus botnet was made up of infected computer systems at nearly 2,500 organizations and government agencies worldwide.

According to Zeus Tracker, the number of active Zeus C&C servers dropped from 249 to 181 on Tuesday night, indicating that up to 25 percent of Zeus botnets were briefly dismantled as a result of the Troyak shutdown.

“Definitely, it was a victory,” Sean Brady, product manager in the identity protection and verification group at RSA, told on Thursday.  “It was a nice taste of what it could look like when a large scale win is achieved.”

But the victory did not last long. Less than 24 hours after the ISP was taken offline, Troyak operators found new upstream service providers, so Zeus controllers regained connectivity to their drone machines, Mary Landesman, senior security researcher at web security provider ScanSafe, recently acquired by Cisco, told on Thursday.

Landesman said she hopes Troyak's new upstream providers also sever ties and take the ISP offline. If that happens, Troyak operators probably would be able to find new providers, but at some point the costs of having to switch providers multiple times could deter them from doing business with Zeus.

“If they [Troyak] do have legitimate customers, those customers aren't going to be tolerant of these types of outages,” she said. “It should put a great deal of financial pressure on Troyak to sever their ties with the Zeus controllers and no longer provide internet service or hosting services for them.”

Currently, it is unclear who was behind the shutdown effort, but researchers believe law enforcement likely played a role.

It is difficult to go after individual malware domains or C&C servers because they can always find another host, experts said, adding that by targeting service providers, takedown efforts can have more of an impact.

“Right now, they are trying to fight the infrastructure and get wholesale wins, rather than trying to fight individuals or criminals,” Brady said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.