Feeds

Zeus botnets suffer mighty blow after ISP taken offline

One quarter of C&C channels vanish

Providing a secure and efficient Helpdesk

At least a quarter of the command and control servers linked to Zeus-related botnets have suddenly gone quiet, continuing a recent trend of takedowns hitting some of the world's most nefarious cyber operations.

The massive drop is the result of actions taken by two Eastern European network providers. On Tuesday, they pulled the plug on their downstream customers, including an ISP known a Troyak, according to Mary Landesman, a senior researcher with ScanSafe, a web security firm recently acquired by Cisco Systems. That in turn severed the connections of servers used to control large numbers of computers infected by a do-it-yourself crime kit known as Zeus.

Landesman said she was able to confirm figures provided by Zeus Tracker that found the number of active control servers related to Zeus had dropped from 249 to 181. The takedown came on Tuesday around 10:22 am GMT and was heralded by a sudden drop off in the number of malware attacks ScanSafe blocks from affected IP addresses.

The takedown is the result of two network service providers, Ukraine-based Ihome and Russia-based Oversun Mercury, severing their ties with Troyak, said Landesman, who cited data returned by Robotex.com. The move meant that all the ISP's customers, law-abiding or otherwise, were immediately unable to connect to the outside world.

"That's a pretty interesting development and I think a very positive one, because they're now putting the shared costs on the network service provider," Landesman told The Register. "There's not always a lot of impetus for these network service providers to take action, but as soon as you have such a severe repercussion where they're actually not able to serve any of their customers, legitimate or otherwise, they're now sharing in that cost."

The takedown comes a week after authorities in Spain and the United States clipped the wings of the Mariposa botnet. One of the world's biggest botnets, it controlled almost 13 million infected computers and infiltrated more than half of the Fortune 1000 companies. Late last month, Microsoft was able to disrupt the Waledac botnet by obtaining a court-issued order against scores of domains associated with the spam-spewing menace.

In November 2008, upstream providers terminated service to McColo, a San Jose, California-based ISP accused of providing service to a large percentage of the world's spammers, malware purveyors and child pornographers.

It still remains to be seen how significant a victory the latest takedown will be. In the two days leading up to it, Zeus-related malware attacks spiked to unprecedented levels, Landesman said, going from a little less than one per cent of the blocks ScanSafe performs on behalf of its customers to more than 10 per cent.

That has touched off speculation that the people running the botnets had advance notice that allowed them to build new botnets that would be unaffected by the action.

"It's certainly an odd coincidence," Landesman said. "I think it's an indication of possible forewarning and an attempt to get new bots out there." ®

New hybrid storage solutions

More from The Register

next story
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.