The sudden disappearance yesterday of a known command-and-control point for ZeuS botnets had security researchers appreciative — but wondering about the reason for the sudden takedown.
Registered in Kazakhstan but with a network topology that suggests it might actually have been co-located in a facility in Russia or the Ukraine, Troyak dropped from sight yesterday, according to researchers at Cisco. The researchers have been monitoring the Troyak.org command-and-control system, which they believe has been a conduit for about 25% of all ZeuS-related traffic spawned by criminal botnet operations.
The ZeuS software itself has several variants used to compromise computers in order to steal financially-valuable information from victims.
“We don't know exactly why this happened," says Mary Landesman, senior security researcher at ScanSafe, which was recently acquired by Cisco. But she and colleague Henry Stein, Cisco senior security researcher, believe the Troyak shutdown occurred because the Russian ISPs iHome and Oversun-Mercury, as upstream providers, engaged in a “de-peering" action that basically shut off Troyak's access to the Internet. That doesn't mean that ZeuS-infected machines are made free from malware, but that Troyak, at least for the moment, isn't controlling actions on infected machines.
It's not yet known why the Russian upstream ISPs decided to take the actions they did, but presumably it's because they responded to complaints from some source. Then again, the operators of Troyak may simply be on an evasive maneuver to stay ahead of the law.
The shutdown of Troyak, at least for the present, is extremely good news for those trying to keep dangerous botnets from plundering victims around the world, says Landesman. Other recent events, including Microsoft striking a blow at the Waledec botnet and the takedown of the so-called Mariposa botnet , are encouraging signs that cyber-crime activity can be challenged and fought.