Lightning Crashes

statistical chart from

Zeus is undoubtedly one of the most prevalent malware being used for web based criminal activity. It has compromised thousands of systems and, though an exact count is unknown, an example like the Kneber/Zeus botnet reported by Netwitness showed that one collection of infected computers consisted of “75,000 systems in 2,500 organizations around the world.” There have certainly been larger botnets concentrated on data theft, but with fluxing configurations, binaries and the domains used for hosting, the array of zeus botnets have remained both widespread and dangerous. Then, on March 9th 2010, Zeus took a big hit to its infrastructure., who runs the ZeusTracker project, reported a significant drop in the active number of Zeus command and control servers, falling from 249 to 181 overnight. What they discovered was that the ISP Troyak (AS50215), and its dependent networks, had essentially been taken offline. These networks had been considered bulletproof hosting for Zeus domains, which means the hosting groups involved were believed to actively protect the malicious activity, ignore requests for ending it, or otherwise assumed by its users to be a safe zone for malicious domains.

While disconnecting thousands of compromised systems from their C&C domains is a great win, though likely a temporary one, no one knows who to congratulate. Security researchers assume it was an external takedown, but no one has stepped forward to be recognized. What is even more interesting, as mentioned by Brian Krebs, is that, 11 days prior to the Troyak switch-off, spam promoting Zeus also went into decline. On February 27th, as stated in Kreb’s blog, a large Zeus spamming gang stopped sending new spam.

For now we’ll just have to wonder who is behind this mysterious crusade against Zeus. It seems unlikely that it was the work of any security group or company as it is generally in our favor to promote such efforts. Perhaps a rival gang was involved and the “Zeus killer” feature in SpyEye wasn’t enough for them, or maybe somebody just thought to quit while they were ahead. That would be a novel idea.

Matt Sully
Threat Research & Analysis

Moments after posting this, Troyak found a new upstream provider and got back online. They have since moved to yet another provider, trying to evade a second disruption of “services.” Some would say they’re on the run.

Related articles by Zemanta

Reblog this post [with Zemanta]