The Zeus botnet, a Trojan family widely used by cybercriminals to target victims with data-stealing malware, was temporarily disrupted this week after the ISP suspected
Kazakhstan-based Troyak.org, which harbors servers that control spam and malware botnets, went down temporarily on Tuesday. Troyak is considered to host 25% of the command-and-control servers that connect to Zeus infected computers. ScanSafe, which was recently acquired by Cisco Systems Inc., identified a harp uptick in malware traffic prior to the shutdown, indicating the bot herders may have known there would be a disruption to their operations.
"The data seems to indicate they had some sort of advance warning and if so they would have had ample opportunity to update their bots," said Mary Landesman, senior security researcher at ScanSafe, now part of Cisco.
The disruption to Zeus was short lived. Landesman said all connections that were severed when Troyak went offline, reconnected once the ISP acquired a new upstream provider.
"We've checked the IP addresses and they were live again when Troyak came back online," she said.
Zeus is a large Trojan family served with automated attack tools. The 75GB cache discovered last month is believed to be a hacker drop site tied to the Zeus infections. The cache contained a variety of sensitive data, from bank account credentials to Social Security numbers and email passwords.
"It's publicly available so there are many segments of Zeus and of the Zeus botnet," Landesman said. "The malware can range from phishing stealing online credentials to much more sophisticated attacks against banks."
An estimated 1.6 million infected machines make up hundreds of Zeus botnets. In 2007, a German cybercriminal gang used Zeus in multiple heists at European banks, stealing $20 million dollars. Today, the Zeus botnets target nearly a thousand banks, and experts say it has turned into a major plague in the banking industry. The Trojan is used to add fields to bank account forms, silently draining bank accounts while displaying a phony account balance to victims.
Puzzling to security researchers is how Troyak was disrupted in the first place. In a paper issued by RSA, the security division of EMC Corp., researchers said the upstream facility could have been shut down by law enforcement or its own operators. The name "Troyak," according to the paper, is Russian slang for "Trojan," a further indication that Troyak.org may not be a legitimate business.
"The inactivity of AS-Troyak may be the result of a technical failure, though this is the least likely scenario, as malicious operations of this kind usually have no single point of failure," according to the RSA report.
The Troyak incident is similar to the shutdown of McColo Corp. in 2008, when the upstream providers stopped serving the hosting provider with network access. Researchers at the time predicted that spam and malware would likely make a full recovery and it did.
"As an industry we're dealing with lot of people making money off of these criminal endeavors and until they stop making money or their customers start incurring costs from the disruptions, there's little motivation for them to do the right thing," Landesman said. "For many of these players, this is the most viable means for them to earn a living."