Zeus-related Botnet Servers Taken Offline

Outsmart Malicious Hackers


We wrote about Zeus a while back, a nasty trojan which can evade detection by Anti-virus software and is ranked as the number 1 trojan infector by numbers.

About a week ok a massive sting operation took down large parts of the Mariposa botnet in Spain and the USA and the latest news is large parts of Zeus-related botnets have been taken offline.

Most of the action in this case happened in Eastern Europe where once again network peers have pulled the plug on downstream ISPs serving dodgy customers.

At least a quarter of the command and control servers linked to Zeus-related botnets have suddenly gone quiet, continuing a recent trend of takedowns hitting some of the world’s most nefarious cyber operations.

The massive drop is the result of actions taken by two Eastern European network providers. On Tuesday, they pulled the plug on their downstream customers, including an ISP known a Troyak, according to Mary Landesman, a senior researcher with ScanSafe, a web security firm recently acquired by Cisco Systems. That in turn severed the connections of servers used to control large numbers of computers infected by a do-it-yourself crime kit known as Zeus.

Landesman said she was able to confirm figures provided by Zeus Tracker that found the number of active control servers related to Zeus had dropped from 249 to 181. The takedown came on Tuesday around 10:22 am GMT and was heralded by a sudden drop off in the number of malware attacks ScanSafe blocks from affected IP addresses.

The most interesting part for me is that a few days prior to the take-down Zeus-related activity went up in intensity 10-fold (from 1% to 10% on the ScanSafe network). This to the paranoid would indicate forewarning and the bot herders pushing out more malware to make sure they still have a good infection base even after the ISP plug gets pulled.

Either way it’ll be interesting to see if these actions will have any lasting effect. Either way I’m pleased something is being done and all this network bandwidth wasting crapware is being taken offline.

The takedown is the result of two network service providers, Ukraine-based Ihome and Russia-based Oversun Mercury, severing their ties with Troyak, said Landesman, who cited data returned by Robotex.com. The move meant that all the ISP’s customers, law-abiding or otherwise, were immediately unable to connect to the outside world.

“That’s a pretty interesting development and I think a very positive one, because they’re now putting the shared costs on the network service provider,” Landesman told The Register. “There’s not always a lot of impetus for these network service providers to take action, but as soon as you have such a severe repercussion where they’re actually not able to serve any of their customers, legitimate or otherwise, they’re now sharing in that cost.”

The takedown comes a week after authorities in Spain and the United States clipped the wings of the Mariposa botnet. One of the world’s biggest botnets, it controlled almost 13 million infected computers and infiltrated more than half of the Fortune 1000 companies. Late last month, Microsoft was able to disrupt the Waledac botnet by obtaining a court-issued order against scores of domains associated with the spam-spewing menace.

Back in November 2008 we covered the McColo case quite extensively when the ‘spam-friendly’ ISP was taken offline by it’s upstream peer. By April 2009 however, spam had reached back to 91% of its original mass..showing that you can’t stop them for long.

Honestly I’d imagine this is the case here too, there’s plenty more places they can peddle their malware and host their control servers. Plus the level of general awareness on infection vectors by the general public is extremely low.

People are still going to get infected and we are still going to have to put up with degraded networks.

Source: The Register

Posted in: Malware, Privacy

, , , , , , ,


Latest Posts:


snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.
QualysGuard - Vulnerability Management Tool QualysGuard – Vulnerability Management Tool
QualysGuard is a web-based vulnerability management tool provided by Qualys, Inc, which was the first company to deliver vulnerability management services as a SaaS-based web-service.


Comments are closed.