Troyak Takedown Stings Zeus

Late Tuesday night, more than 90 servers controlling Zeus botnets suddenly disappeared from the Internet.

The outage came after a group of security professionals worked to de-peer Troyak, a known rogue network hub that provides connectivity to at least six Internet service providers hosting botnet controllers. The disappearance of the Zeus command-and-control servers was discovered by the ZeusTracker service, a site that records changes to known Zeus botnets. The servers accounted for more than a third of the active servers currently tracked by the service.

The number of Zeus command-and-control servers monitored by ZeusTracker fell more than a third on Tuesday. (Source: ZeusTracker)

Kevin Stevens, a researcher with network-security firm SecureWorks, confirmed that the outage was caused by a group who was working to take down Troyak, but would not identify any of the participants. The action targeted the Internet service provider not only for its connections to Zeus, but to many other botnets and criminal schemes.

“They were also hosting exploit packs and some Rock Phish gangs as well,” Stevens said. “Overall, it’s a bunch of bad stuff going on.”

The takedown disconnected 68 Zeus command-and-control servers hosted on networks that were connected to the Internet through Troyak, according to ZeusTracker. Another 22 servers also disappeared but did not route traffic through Troyak.

Late Wednesday, Troyak already showed signs of reconnecting to the Internet, according to the administrator of ZeusTracker. A person claiming to be a spokesman for Troyak told IDG News that the outage was due to an administrative error.

“Don’t worry, it is up and running again,” Troyak spokesman Roman Starchenko said in an e-mail to the news service. “We fixed our weakness and now it will become concrete stable.”

ZeusTracker’s administrator said the limited success was frustrating. “They just disappeared yesterday and went back (on) today, so they managed to get connected to the Internet again within 24 hours,” the administrator, who asked not be named, told UnsafeBits.

SecureWorks’ Stevens added that a lack of coordination gave the owners of Troyak an opportunity to reconnect to the Internet. “The takedowns are not being done gracefully,” he said.

The ISP Trojak serves Mariam and at least five other networks that host Zeus command-and-control servers. (Source: Robtex.com)

It’s unlikely that Troyak will stay connected, Stevens argued. As in the case of the rogue service provider McColo, Troyak will likely only try to connect long enough for its customers to retrieve any data from the command-and-control servers and redirect compromised PCs to a different server.

“They will basically backup their C&C servers, host them somewhere else, and be back up in 24 hours,” Stevens said. Troyak’s spokesman’s statement to IDG News, however, suggested that the ISP would weather the takedown attempt.