Zeus botnets suffer mighty blow after ISP taken offline
One quarter of C&C channels vanish
At least a quarter of the command and control servers linked to Zeus-related botnets have suddenly gone quiet, continuing a recent trend of takedowns hitting some of the world's most nefarious cyber operations.
The massive drop is the result of actions taken by two Eastern European network providers. On Tuesday, they pulled the plug on their downstream customers, including an ISP known a Troyak, according to Mary Landesman, a senior researcher with ScanSafe, a web security firm recently acquired by Cisco Systems. That in turn severed the connections of servers used to control large numbers of computers infected by a do-it-yourself crime kit known as Zeus.
Landesman said she was able to confirm figures provided by Zeus Tracker that found the number of active control servers related to Zeus had dropped from 249 to 181. The takedown came on Tuesday around 10:22 am GMT and was heralded by a sudden drop off in the number of malware attacks ScanSafe blocks from affected IP addresses.
The takedown is the result of two network service providers, Ukraine-based Ihome and Russia-based Oversun Mercury, severing their ties with Troyak, said Landesman, who cited data returned by Robotex.com. The move meant that all the ISP's customers, law-abiding or otherwise, were immediately unable to connect to the outside world.
"That's a pretty interesting development and I think a very positive one, because they're now putting the shared costs on the network service provider," Landesman told The Register. "There's not always a lot of impetus for these network service providers to take action, but as soon as you have such a severe repercussion where they're actually not able to serve any of their customers, legitimate or otherwise, they're now sharing in that cost."
The takedown comes a week after authorities in Spain and the United States clipped the wings of the Mariposa botnet. One of the world's biggest botnets, it controlled almost 13 million infected computers and infiltrated more than half of the Fortune 1000 companies. Late last month, Microsoft was able to disrupt the Waledac botnet by obtaining a court-issued order against scores of domains associated with the spam-spewing menace.
In November 2008, upstream providers terminated service to McColo, a San Jose, California-based ISP accused of providing service to a large percentage of the world's spammers, malware purveyors and child pornographers.
It still remains to be seen how significant a victory the latest takedown will be. In the two days leading up to it, Zeus-related malware attacks spiked to unprecedented levels, Landesman said, going from a little less than one per cent of the blocks ScanSafe performs on behalf of its customers to more than 10 per cent.
That has touched off speculation that the people running the botnets had advance notice that allowed them to build new botnets that would be unaffected by the action.
"It's certainly an odd coincidence," Landesman said. "I think it's an indication of possible forewarning and an attempt to get new bots out there." ®
Nut? More like a mountain.
No, sorry, but I disagree. The problem of spamming and botnets has been out of control for a while now, the time for diplomacy has passed. The ISP(s) in question ignored requests to keep their house in order, they have failed to do anything about it. In some cases these small ISPs are even run by crooks for crooks.
If a nightclub has a reputation for fights, drugs and generally causing a problem for local residences then their liquor license is pulled and the place is closed down. No-one finds that to be unreasonable, so why is this any different?
They should have been doing this years ago, before spam, phishing and DDOS attacks became a fact of life on the internet.
Missed the point?
The objective is not just to take bad guys off line, but to make the ISPs actually start taking this seriously and take action themselves. At which point it will be more targeted.
[need an arrow missing the target icon, perhaps]
reputation and externalities
In the financial world reputation (i.e. the ability to provide a credit contol reference) is in the hands of a few specialist companies. In the bricks and mortar world if you live or landlord in an area with many crooked neighbours you either bear a share of the costs of the bad neighborhood or you move somewhere else. We're likely to see similar economic and social pressures in the Internet world. Reputation providers such as Spamhaus or the Denyhosts data sharing server blacklist addresses responsible for bad traffic and those running SMTP or SSH servers which don't use these blacklists or are subject to higher volume attacks than those which do. Eventually if too high a proportion of an ISPs addresses emit bad traffic then other ISPs won't peer, because for them the costs of keeping a peg on their noses can become greater than the benefits of the traffic sharing peering arrangement.
This isn't an issue of fair or not fair, it's to do with economic and social realities which occur in other contexts catching up with the Internet world.