Feeds

Zeus botnets suffer mighty blow after ISP taken offline

One quarter of C&C channels vanish

Internet Security Threat Report 2014

At least a quarter of the command and control servers linked to Zeus-related botnets have suddenly gone quiet, continuing a recent trend of takedowns hitting some of the world's most nefarious cyber operations.

The massive drop is the result of actions taken by two Eastern European network providers. On Tuesday, they pulled the plug on their downstream customers, including an ISP known a Troyak, according to Mary Landesman, a senior researcher with ScanSafe, a web security firm recently acquired by Cisco Systems. That in turn severed the connections of servers used to control large numbers of computers infected by a do-it-yourself crime kit known as Zeus.

Landesman said she was able to confirm figures provided by Zeus Tracker that found the number of active control servers related to Zeus had dropped from 249 to 181. The takedown came on Tuesday around 10:22 am GMT and was heralded by a sudden drop off in the number of malware attacks ScanSafe blocks from affected IP addresses.

The takedown is the result of two network service providers, Ukraine-based Ihome and Russia-based Oversun Mercury, severing their ties with Troyak, said Landesman, who cited data returned by Robotex.com. The move meant that all the ISP's customers, law-abiding or otherwise, were immediately unable to connect to the outside world.

"That's a pretty interesting development and I think a very positive one, because they're now putting the shared costs on the network service provider," Landesman told The Register. "There's not always a lot of impetus for these network service providers to take action, but as soon as you have such a severe repercussion where they're actually not able to serve any of their customers, legitimate or otherwise, they're now sharing in that cost."

The takedown comes a week after authorities in Spain and the United States clipped the wings of the Mariposa botnet. One of the world's biggest botnets, it controlled almost 13 million infected computers and infiltrated more than half of the Fortune 1000 companies. Late last month, Microsoft was able to disrupt the Waledac botnet by obtaining a court-issued order against scores of domains associated with the spam-spewing menace.

In November 2008, upstream providers terminated service to McColo, a San Jose, California-based ISP accused of providing service to a large percentage of the world's spammers, malware purveyors and child pornographers.

It still remains to be seen how significant a victory the latest takedown will be. In the two days leading up to it, Zeus-related malware attacks spiked to unprecedented levels, Landesman said, going from a little less than one per cent of the blocks ScanSafe performs on behalf of its customers to more than 10 per cent.

That has touched off speculation that the people running the botnets had advance notice that allowed them to build new botnets that would be unaffected by the action.

"It's certainly an odd coincidence," Landesman said. "I think it's an indication of possible forewarning and an attempt to get new bots out there." ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
The total economic impact of Druva inSync
Examining the ROI enterprises may realize by implementing inSync, as they look to improve backup and recovery of endpoint data in a cost-effective manner.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.