ISP takedown deals smashes Zeus botnet – for a few hours
by Steve Ragan - Mar 11 2010, 16:55The Zeus botnet was smacked around on Wednesday, after Group 3 and Troyak, two ISPs linked to C&C servers for Zeus, were de-linked from the Internet, severing the connection between the servers controlling the bots and the infected hosts. Unfortunately, Troyak returned online just a few hours later.
Zeus is the king when it comes to botnet creation kits. The Zeus kit sells for as little as $300.00 USD, or as much as $2,000 USD. It is the base for many other botnet kits online and is so popular it’s even targeted by other botnet systems. The Malware created by the kit is used to infect systems and harvest financial data, as well as other personal information including passwords.
When it comes to the takedown, the person or persons behind the action to have the ISPs taken offline are unknown. Those who are familiar with the operation as it were will not speak on the record. For the most part, the takedown, despite the fact that one ISP came back online rather quickly, is seen as a positive, hailed as another win in the fight against the botnets online.
Truth is, over the last 24 hours Troyak has had two different upstream providers, so it looks as if they are able to re-establish an Internet connection rather quickly, only to have it taken away again.
On the plus side, while the botnet friendly ISP is coming and going, Zeus is taking some serious hits still. As of 12:00 EST (3-11-10), Zeus Tracker reports that there are 181 Zeus domains, 148 Zeus configuration domains, 102 drop zones, and 62 binaries online for Zeus.
These numbers are a fraction of what was live just four days ago. As for Troyak, Zeus Tracker reports that all of the C&C hosted by the ISP are still down at this time. It could be that the bot masters have left the ISP for greener pastures.
Just before the takedown and drop in activity, Zeus was highly active over the past weekend. Adding to that is a Trend Micro research paper that noted an average of around 300 unique Zeus samples per day crossing their Malware collection points. Overall, they witnessed more than 13,000 unique Zeus samples within January 2010 alone.
The takedown of the Zeus ISP’s and the struggle for it to return in full force is just the latest botnet action taken for this year. Microsoft recently went after the Waledec, and just last week Panda Security helped take out the ringleaders behind the Mariposa botnet.
The last time an ISP being de-linked impacted a botnet was in 2008, when McColo was shut down. At the time, the ISP's closure led to a global drop in Spam, which surged back to regular levels before the end of Q1 2009, a trend that doesn’t sit well if you consider it in parallel to Troyak and Zeus.
Comment on this Story