Home / Blogs

Another One (Partially) Bites the Dust

Following in the footsteps of Lethic, Waledac and Mariposa, yet another botnet has been taken offline. Not completely, though, it was only a partial disconnect. The Zeus botnet, also known as Zbot, is a trojan password stealer that captures passwords and sends them to the attacker. From ITWorld:

March 10, 2010, 04:10 PM — IDG News Service —

Internet service providers linked to the notorious Zeus botnet have been taken down, knocking out a third of the command-and-control servers that run the network of hacked machines.

Two ISPs, named Troyak and Group 3, were home to 90 of the 249 known Zeus command-and-control servers. Zeus Tracker, a Web site that tracks the botnet, noticed the steep drop in servers on Wednesday morning.

The Troyak network was itself an upstream provider to six networks, known to host a large number of cybercrime servers, including Web sites used in drive-by attacks and phishing sites, according to Kevin Stevens, a researcher with SecureWorks. “There’s lots of Zeus and Fragus exploit kit [sites],” he said. Whoever was behind the takedown “just decided to knock out a large area of cybercrime, and this was probably one of the easiest ways to do it.”

Troyak is based in Kostanay, Kazakhstan, according to whois records. The company could not be reached immediately for comment.

The Zeus Tracker administrator, who asked not to be named, said that at first he thought that there had been some type of technical error in the Zeus code. On further investigation, he discovered that Troyak had been taken offline, which in turn knocked the networks hosting the botnet servers off the Internet.

Unlike the Waledac takedown, which was removed with a court order, and Mariposa takedown which was done by police authorities, or even the Lethic takedown done by Neustar which operates the .us ccTLD, this time around it was done by eastern European network providers. Thus, this takedown more closely resembles the 2008 McColo takedown which resulted in spam levels plummeting by 40% (our figures) to 70% (others’ figures). According to The Register, the network providers Ukraine-based Ihome and Russia-based Oversun Mercury severed their ties to the ISPs in question (Troyak and Group 3). Unfortunately, it also meant that the legitimate customers on those ISPs also had their ties to the Internet disconnected. I bet their customer support desks had their phones ringing off the hooks. I can just imagine the conversation.

Customer: Why can’t I connect to the Internet? I’m paying for your service!
Response: Well, sir, no one can. We’ve been disconnected.
Customer: What? Why?
Response: For engaging in cybercrime.
Customer: Oh. Well, that explains it.

Cisco issued a statement that this takedown “depeered” the botnet. What this means is that the drones that perform the actual password stealing, fast-fluxing, etc, can no longer (temporarily) make contact with command center. The drones are aimless, kind of wandering around with no direction, no purpose and no motivation (a lot like the entire population of Canada would have been had we lost the gold medal game in hockey two weeks ago at the Olympics). It’s kind of like if a military unit were out in the jungle taking orders from central command, and central command is knocked out, the unit will stand around forever doing nothing. The unit is still there, but they are not going to do anything until they get their orders. Since their orders will never come, they will never do anything. It’s classic bureaucracy in action.

It’s important to note three points:

  1. The entire C&C center wasn’t taken down, only about a third of it
  2. It will be rebuilt eventually. The orphaned drones no doubt had some of their instruction locations hard coded, or maybe specified in a config. The botnet operators will send out new malware with new instruction set locations, and users will install the software. These systems will become re-infected and point to other locations upon which to download updates and the whole cycle will start all over again. It will take time, true, but Zeus will be back.
  3. Those who took down this botnet wish to remain anonymous. Whatever their reason is, they aren’t claiming responsibility.

It remains to be seen what the impact of this take down will be on the malware world.

By Terry Zink, Program Manager

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byDNIB.com


Sponsored byVerisign

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API