The research community celebrated briefly when more than 25 percent of the command-and-control servers tied to the Zeus Trojan went dark March 9. But will this takedown have a lasting effect?
The Zeus Trojan was knocked off of malware's
Mount Olympus this week when the upstream provider for six of the most notorious
Zeus-hosting ISPs was taken down.
The shutdown of Kazakhstani provider
Troyak-AS March 9 is credited with cutting the number of active Zeus
command-and-control servers from 249 to 181, a number that has fallen and risen
again in the past few days and now stands at 191 according to the most recent
figures from Zeus Tracker.
long the drop-off will last remains to be seen. In fact, Troyak-AS
has repeatedly obtained new upstream providers of its own every time it has
"After successful disconnection by
Oversun Mercury and iHome, Troyak-AS obtained a new upstream provider through
NAssist/YA," Mary Landesman, senior security researcher at Cisco's ScanSafe,
told eWEEK. "That provider also disconnected their service, after which
Troyak-AS moved to RTComm. Once again, they were disconnected by that provider.
Currently, Troyak-AS has switched to NLine, but we anticipate they too will
soon disconnect them."
The situation highlights a troubling pattern
of security cat-and-mouse.
When a particular rogue ISP is taken down,
others step into its shoes, while the botnets improve the code for finding
new hosts if the main command-and-control server is taken down.
The problem is exacerbated in the case
which is not a single botnet but a collection of thousands of
variants of a Trojan that can be customized by attackers. Just recently for
example, NetWitness researchers uncovered a 75,000-strong
botnet built with Zeus.
But that was just one of many, Landesman
noted. Older versions of the Trojan can typically be found in the
cyber-underground for free, with newer editions selling for between a few
hundred and a few thousand dollars, according to research from F-Secure.
"In short, Zeus is a vast in-the-cloud
distributed network supported by multiple bot herders and millions of infected
PCs," she said. "The wide availability and ease of configuration
supports multiple botnets, with space on individual segments of these botnets
leased to various bidders. The success lies in this diversity and the autonomy
Arguably the most effective ISP takedown yet
was the shutdown of McColo in 2008, which effectively killed
the Srizbi botnet.
Spam levels however did not stay down for long, and some
suspect the owners of Srizbi may be operating other botnets, such as Rustock.
"Since the de-peering of McColo at the
end of 2008, the malware technology behind botnets has improved significantly
and as a result subsequent takedowns during 2009 were less effective,"
said Paul Wood, MessageLabs intelligence senior analyst for Symantec Hosted
Services. "Botnets have become much harder to disrupt, often favoring HTTP
as a C&C protocol with instructions in some cases now disguised as postings
on social networking sites, blogs and microblogging sites."
There is good news, however. According to
Sean Brady, product manager in the Identity Protection and Verification Group
inside EMC's RSA security
division, the transition of Zeus-infected PCs to alternate services has not
been particularly smooth.
"It was observed by the evening [ET] of
the 10th that systems leveraging [Troyak-AS], including the considerable volume
of Zeus traffic, were beginning to route through alternate service providers [that]
the fraudsters leverage as part of their efforts to keep their systems
redundant," Brady told eWEEK. "Since the 10th, these efforts have
been inconsistent and somewhat unstable, and by all appearances levels have not
yet bounced back to levels witnessed prior to [Troyak-AS] going dark."
From a long-term perspective, taking on
service providers should act as a deterrent, Landesman said.
"The continued takedowns not only
disrupt the malicious hosts serviced by Troyak, it also disrupts their
legitimate customers ... [and] the Zeus bot controllers on this segment are also
facing financial losses and perhaps additional expenses as well," she
said. "As costs of doing criminal business increase, the criminal business
model becomes less profitable and hopefully less attractive."