Many experts in the security industry are speculating why Kazakhstan-based Troyak.org, the ISP serving a large chunk of the Zeus botnet, suddenly went dark March 9, severing the ties between thousands of zombie machines and the command-and-control servers they use to receive their marching orders.
Whether the shutdown is a mixture of efforts by law enforcement and anonymous security researchers or the action of the ISPs that service Troyak is anyone's guess. But experts says the activity appears to be throwing a wrench in spam and phishing campaigns and slowing the spread of different malware variants of the nasty Zeus crimeware toolkit, which has been a serious problem for the banking industry.
"There appears to be an ongoing effort to keep Troyak shut down, which is encouraging and definitely the right approach," says Sean Brady, a global expert on issues and mitigation strategies related to online fraud at RSA, the security division of EMC.. "Right now the fraudsters are spending time, money and resources to get online and that is time money resources not being spent on fraud activities."
In studying the demise of Troyak, Brady found the ISP to be connected to a spider web of malware networks that work to ensure that the connection to their malware servers remain active. RSA's FraudAction Research Labs uncovered eight malware hosting networks and five upstream providers that use legitimate ISPs to connect to the Internet. In addition to Zeus Trojans, the servers host the RockPhish phishing toolkit, JabberZeus instant messaging drop servers and the Gozi SSL data stealing Trojan. He says cybercriminals, tied to crime gangs in various eastern European countries, may have taken years to build out their networks.
"What has happened is that the fraudsters are using their networks and rerouting their traffic in an ongoing, unstable effort to remain connected," Brady says. "Whoever is behind taking Troyak down is also cutting more threads to the spider web they've created. There is an ongoing effort to keep addressing the other connections."
Other experts are not so convinced that the cybercriminals are on the run. They point out that historically, once a botnet is crippled, the bot herders have been able to find new servers to rebuild their networks and reconnect to create a new armada of infected machines. In 2008, the Internet Corporation for Assigned Names and Numbers (ICANN), which is responsible for maintaining the Internet's domain name system, de-accredited EstDomains, an Estonia-based ISP known for harboring malware and spam. The lesson learned for cybercriminals at that time was to not host malicious domains with a single service provider. In the same year, another rogue ISP, McColo, had its connections severed by its upstream providers. McColo hosted command and control servers running the Srizbi spam botnet. Spam volume temporarily declined, but has since rebounded, exceeding the levels prior to McColo's demise.
The action against Troyak may be a step in the right direction, but cybercriminals have demonstrated that they can quickly turn to other illegal activities, putting security teams in a constant game of whack-a-mole, says Gunter Ollmann, vice president of research for Damballa, a security vendor that sells botnet detection and prevention services.
"It's ineffective in the long run unless you remove and shut down all the command-and-control servers simultaneously," Ollmann says. "There are thousands of botnet operators and each of those operators run multiple botnet campaigns, so it's very difficult to gain complete control of a botnet."
But it's not necessarily about gaining complete control, says Adam Rice, chief security officer of Mumbai-based Tata Communications Ltd., India's largest tier-1 ISP. It's about disrupting the cybercriminal community, making it more costly for them to route their malicious traffic, he says. Microsoft's legal action in February to shut down the command-and-control network of the Waledac botnet, a notorious spambot that produces an estimated 1.5 billion spam messages daily, is an example of the kind of disruption that puts cybercriminals on the run, he says.
"The ability to do that kind of disruption exists right now," Rice says. "I think that right now, it's not a real big secret to anybody where a lot of this bad traffic originates, where it's going and who does what to whom."
Robert Westervelt is the news editor of SearchSecurity.com. Send comments on this article to email@example.com