Sentor
Home Managed Security Services Professional Services News About Sentor Contact us
Sentor MSS UK
41a Coronet Street
London N1 6HD

Phone: +44 (0) 20 70 33 18 38
E-mail: info@sentormss.com


Page in Swedish In Swedish

Shutdown offers short-lived win over Zeus botnet

2010-03-12

The shutdown of an internet service provider with strong links to one of the most prolific botnets in the world proved to be a short-lived victory, it has been confirmed.

Earlier this week, 'Troyak' was cut off by security researchers, who are concerned about its partnership with 'Zeus', a type of malware which steals online banking user names and passwords.

According to Cisco Systems, about 25 per cent of the world's computers infected by Zeus were closed down on Tuesday (March 9th), raising hopes of a massive drop in fraud as hundreds of criminal organisations were impacted.

"Definitely, it was a victory," Sean Brady, product manager in the identity protection and verification group at RSA - the security division of EMC Corporation - told SCMagazineUS.com.

"It was a nice taste of what it could look like when a large scale win is achieved."

However, reports emerging on Wednesday morning suggested that operators of Troyak had managed to secure new upstream service providers and regained connection to their controlled computers.

According to Cisco researchers, the cybercriminals may have been aware of the impending action as traffic to the relevant servers surged over the weekend, possibly suggesting they were instructing the machines to attach to new providers.

The news highlighted the cat-and-mouse nature of attempting to shut down malware such as Zeus, which saw 69 of its estimated 249 command-and-control servers temporarily cut off.

"These kinds of drastic changes are usually short-lived, as in the long run, criminals tend to restructure their criminal activity and relaunch their online attacks," RSA researchers told the Associated Press.

Security experts will now attempt to prevent further data breaches occurring by 'de-peering' Troyak from its new provider, which is either Nassist or upstream group Hurricane Electric, PC World reports.

However, Troyak, which is believed to be based in eastern Europe, issued an ominous warning in the wake of the incident.

"Don't worry, it is up and running again," said spokesman Roman Starchenko in an e-mail to IDG News Service.

"We fixed our weakness and now it will become concrete stable."

The battle has many similarities to the 2008 takedown of a server belonging to McColo Corporation after researchers uncovered evidence of the company's illegal activities.

Despite worldwide spam volumes instantaneously declining by almost a half, the levels gradually picked up again in the next few days, underlining the ongoing challenges facing IT intrusion experts.

Read more security news.

IT Security News
© Sentor 2011