Zeus-Friendly ISP Booted Off the Internet

An ISP harboring a considerable number of Zeus botnet command and control (C&C) servers was de-peered by its upstream providers yesterday. The unusual action resulted in a significant drop of Zeus-related activity.

TROYAK-AS (AS50215), an ISP registered in Kazakhstan, but using servers in Eastern Europe, was cut off from the Internet by its upstream providers, iHome of Ukraine and Oversun-Mercury of Russia. The event occurred at around 10:20 GMT on Tuesday and the count of online Zeus C&C servers, as reported by the Zeus Tracker, immediately dropped from 249 to 181.

Security researchers don't know what triggered this decision, as Russian and Ukrainian ISPs rarely respond to abuse complaints. "We don't know exactly why this happened," Mary Landesman, a senior security researcher at ScanSafe, told Network World. Nevertheless, "That's a pretty interesting development and I think a very positive one [...]" she commented for The Register.

According to Dancho Danchev, an independent security consultant who tracks Zeus operations, TROYAK was also hosting a lot of mule recruitment websites, which are much more important for these cybercrooks than C&C servers. "Sadly, it's more cost-effective to build a new botnet, compared to trying to gain access to the old one. What truly undermines their business model is their inability to utilize the monetization vector," Mr. Danchev writes on his blog.

Since the unexpected takedown, TROYAK-AS has struggled to restore a stable service. First, it hid under a different AS name and number, but only to go dead again today. At the time of writing this article, the AS seems to be back online, with RTComm.RU as its upstream provider.

Zeus, also known as Zbot, is one of the most notorious computer trojans in use today and is the weapon of choice for a large number of cybercriminal gangs involved in financial fraud. In addition to stealing online banking credentials, the malware is also used to perform corporate espionage.

The trojan's popularity is partially caused by its flexibility. The malicious executables are customized and generated with a commercial crimeware toolkit sold on the underground market. This allows fraudsters to easily keep up with AV detection and put out new versions.