March 10, 2010

NB: This story has been updated several times. Please read through to the end

Security experts are tracking a massive drop in the global number of control servers for various ZeuS botnets that are online, suggesting that a coordinated takedown effort may have been executed by law enforcement and/or volunteers from the security research community acting in tandem.

Image courtesy ZeusTracker

Sold for anywhere from $300-$2,000 in shadowy underground forums, ZeuS is a software kit that allows criminals to set up distributed networks of hacked PCs, usually for the purposes of siphoning user names, passwords and financial data from victim computers. A criminal operating a ZeuS botnet can control the systems from afar using a central “command and control” (C&C) server, and it is not uncommon for a single ZeuS C&C server to control tens of thousands of infected hosts. In most cases, the infected PCs continuously upload the victim’s personal data to so-called “drop servers,” or data repositories online that are specified by the criminal controlling the ZeuS botnet.

According to Roman Hüssy, the Swiss information technology expert who runs ZeusTracker – probably the most comprehensive site that tracks ZeuS activity — on the evening of Mar. 9, the number of active ZeuS C&C servers he was tracking fell instantly from 249 to 181.

In an online chat conversation with Krebs on Security, Hüssy said the average ZeuS C&C he tracks has anywhere from 20,000 to 50,000 unique infected computers under its thumb. That means this takedown may have had a massive impact on a large number of criminal operations. For starters, even if we take a conservative estimate, and assume that each of the C&Cs knocked offline controlled just 25,000 PCs, that would mean more than 1.7 million infected systems were released from ZeuS captivity by this apparently coordinated takedown.

Hüssy said the individual machines are still infected with ZeuS, but he doubts the criminals who previously controlled them will be able to recapture those systems. Hüssy said given that the ISPs that were disconnected had a reputation as “bulletproof” — or immune to takedown by law enforcement — the criminals running their ZeuS controllers there probably did not think to place backup servers at other ISPs.

According to Hüssy’s data, the outage began after an Internet service provider called Troyak and apparently situated in Kazakhstan was disconnected from its upstream Internet providers. Troyak served at least six other smaller networks that Hussy said were also were home to a large number of ZeuS C&Cs, and those networks also were impacted by Troyak’s demise.

It’s not clear who or what is responsible for this episode. But one thing is clear: Someone or something is directly taking on the infrastructure used to distribute and control hundreds of ZeuS botnets around the globe.

The malicious software that installs ZeuS on victim PCs is most often distributed via spam, which frequently takes the lure of a spoofed e-mail from the Internal Revenue Service, Facebook, and other well-known organizations. The messages typically include a link to a site that attempts — by exploiting software vulnerabilities or by tricking the user — into installing a small program that lets the attackers seize control over the systems remotely.

Andy Fried, owner of Deteque, a computer security consultancy in Alexandria, Va., has been tracking ZeuS related spam and ZeuS related domains for many months now. The ZeuS gangs he has been fighting have for more than a year now been blasting out ZeuS primarily using the Pushdo botnet, another massive grouping of hacked machines that experts have shown is available for rent on criminal forums to vetted spammers and other miscreants.

Fried said the ZeuS gangs he’s been tracking launch a new spam campaign every few days. But on Feb. 27th, the spam pushing ZeuS abruptly stopped, and hasn’t resumed since, Fried said.

“Nobody seems to understand why yet,” said Fried, a former cyber fraud investigator with the IRS. “All I know is since the 27th, we’ve seen none of our traditional ZeuS spam. I mean, we’ve seen them take breaks before, but nothing at all like this.”

More to come. Stay tuned.

Update, 12:10 p.m. ET: Paul Ferguson, a threat researcher from Trend Micro, pinged me to say that that the satellite hosting providers linked to Troyak were located in Russia and Ukraine, not Kazakhstan, as MaxMind’s IP address locator service suggests.

Update, 4:36 p.m. ET: Sadly, it appears that Troyak — the Internet provider that played host to all these ZeuS-infested networks that got knocked offline yesterday — has since found another upstream provider to once again connect it to the rest of the Internet.

Update, Mar. 11, 5:48 p.m. ET: Zeustracker recently posted this update to its site: Bad news: Since Troyak started their peering with RTCOM-AS, the number of active ZeuS C&C servers has increasted from 149 up to 191. For now, more than 40 ZeuS C&C servers are back online! This means that the cybercriminals are now able to move the stolen data to a safe place or a backup server. Additionally, the cybercriminals are able to update their config files served to the infected clients to set up a fallback server (if Troyak will disappear from the internet again).

Hot Springs, AR 71909
(501) 620-4118

25 thoughts on “Dozens of ZeuS Botnets Knocked Offline

  1. wahnula

    Great news…whatever the cause.

    …”he doubts the criminals who previously controlled them will be able to recapture those systems”…that sounds like he knows more than he’s letting on. C&C servers for other botnets have been taken down before, and the owners have recovered them. Why not now?

    1. BrianKrebs Post author

      Wahnula — see the update for the answer to your question (I hope). I added a sentence that paraphrases something Hussey said to clarify what he meant.

      1. wahnula

        Thanks Brian. Yes, it does make more sense now. This is really excellent news and hopefully only the beginning of shutting down more of the world’s “bulletproof” hosts. I really hate that word!

  2. Henry S. Winokur

    Isn’t calling the infected computers “hosts” a misnomer? Shouldn’t they be called what they are: “slaves”?

  3. jbmoore61

    One could call them maliciously controlled distributed computing nodes or malicious supercomputers. These botnets are the cheap and malicious equivalent of a HPC supercomputer without the fast interconnects, They aren’t used for computations, but as remote email relays and wiretaps.

    You seem to think it might be law enforcement at work, but it could be crime gangs fighting over turf. It would be the equivalent of the Mafia taking out McColo because one family lost a lot of money in some deal. Criminals don’t like being victims themselves. If it were law enforcement, we should see something in the news, because they always like to trumpet their successes. Criminal turf wars are more low key and under the publicity radar.

    1. TheGeezer

      Agree. If it were law enforcement it would have been done much sooner than this. I know many volunteer organizations talk about working closely with law enforcement, however, most of the news of arrests involve US citizens who are victims themselves (mules for example) or are small time bot operators. The recent exception was the ‘butterfly’ net in Spain.

      Law enforcement does not have the jurisdiction to take down the big players and where it does have jurisdiction does not have the laws. Someone else most likely took it down or as you said we would definitely have heard about it in the news.

      I also noticed that since december of last year many of the registrars that traditionally have been favored by zeus have become much more responsible and tightened their controls.

    2. Rick

      ‘maliciously controlled distributed computing nodes’

      That’s great but it makes a terrible acronym.

  4. SpamIsLame

    Kudos to whoever coordinated this takedown.

    This seems to be a bad year for botnet operators. About bloody time.

    SiL / IKS / concerned citizen

    1. Rick

      Oh I think the botnets are doing fine, thank you. They’re still pulling hundreds of millions. You’ve been reading ‘voices’ and KoS presumably? If this is a bad year…

  5. Mike Larkin

    It is remotely possible that the criminal gangs have fallen victim to their own grandiose ideas and took on a bank controlled by the oligarchy that rules Russia. It would not surprise me if they play just as hard as the criminal gangs.

    1. KFritz

      Also possible they didn’t ‘kick up’ enough or some other infraction against ‘higher’ powers.

  6. anonymous

    Or we’re looking at a possible Zeus replacement that is about to be launched…

    Security can’t rest just because the “known” problems are going away…

  7. Jason

    The first thing I thought about this is that…good! Someone is taking them down!

    Then I thought to myself…let’s think about this from the botnet operations perspective…consider the facts:

    1) A major competing botnet has just been taken down
    2) There is a good deal of media attention being aimed at this botnet
    3) There are sites (like ZeusTracker) that are actively tracking command and control servers

    It would seem to me that if I was operating these systems and I knew I was being hunted…I would go to ground. I wonder if the botnets in question were simply upgraded (the detection vectors changed) or told to wait for further instructions and to go dormant for a while to avoid what can only be real hunting and eradication in the future.

    I’m not suggesting that this is the case…but when a statistically significant number of systems drop off all nearly at the same time…my Spidey sense (anti-coincidence alarm) goes off.

    My $0.02.

    1. Rick

      It’s a good theory. Only 23% of Zeus infections are detectable. Maybe they’re working on improving that. Bk certainly hasn’t been friendly to them. If they can come up with a new variant that stays under the radar as well as this one – with a 0% detection rate to start with… Sounds like a great idea. ‘I’m a botnet operator and Windows was my idea.’ 😉

  8. JackRussell

    Why can’t ISPs block access to *all* of the CNC servers? Or to put it more bluntly and simply, block all access to Troyak (and any other such registrars).

    They are all(?) in weird parts of the world where normal users would never have a need to open a connection.

  9. DaFyre

    ISPs are here to provide internet services, not necessarily police them (but we all know that they do anyway). If we as a group of people, say ‘Yes, police THIS kind of traffic’ — What is to stop them from just randomly booting off the people that are downloading large files (be it a legal Linux distro, or an illegal copy of the latest movie) without confirming what kind of traffic it is?

    Most ISPs will tell you, “No, we’re not messing with your bandwidth…” and have their had on the speed knobs for your connection. Do we *really* want to trust the ISPs to do this for us?

    A properly configured, automagically updating IPS (with the latest, bleeding edge rules) such as Snort (www.snort.org) or Suricata (www.openinfosecfoundation.org), or some commercial variant could *help* mitigate this for at least some networks.

    As a Network Administrator, I cannot rely on any outside party (my ISP, for instance) to secure the network behind my firewall. Once the packets are off of their wire and inside my network, the ownership of security becomes mine.

    In that same regard, I should make sure that the packets that are leaving my network aren’t attacking somebody else’s server, whether it is 5 blocks away, or 5,000 miles away.

    Didn’t mean to write a book… but that’s just my 2 cents worth… Ok… 4 cents since it was so long. 😉

    1. JackRussell

      For a large corporate customer who has a network administrator, that’s a reasonable position.

      For a home user connected to something like Comcast, Cox, Verizon, etc, there is no network administrator to manage these things.

      For a small business, like a dentist or a small construction company, there generally won’t be a network administrator. The business is too small to have a full-time person doing that job, so it falls to someone else who probably knows little about security. These businesses may just have a consumer-grade firewall and some flavor of AV, and that’s probably about it.

      And even if you work for a company that blocks access to the CNC servers, you still get bombarded with the spam that is generated from the infected machines, which in itself is still a nuisance.

      So for these two categories, either the ISP blocks access to the CNC servers, or nobody does. We have been trying the “nobody” option and that hasn’t been working.

      1. DaFyre

        @JackRussell: I agree with you. I prefer to take a proactive approach. When I am at a small business, I talk with the owners after I get to know them — especially if it’s a local Mom & Pop operation — and offer to help secure their business. If they have an older computer, they won’t need to actually buy anything… and seeing as I’m a broke college employee, I will work for food, lol.

        I get your point about the nobody approach and things falling to someone who knows little of security. If somebody gets dropped into that kind of role, the company should give (or the employe should request) some training on security or whatever their new job role is.

        To borrow your construction analogy — you wouldn’t send a guy who has swung a hammer and skill-saw all their life and sit them in front of a computer and tell them to “make it secure.” — You would have about as good luck as if I were to fix your car, lol.

        But if the company takes the time to give him a little training at “making it secure”, then he could give the computer (network) a small tune up to start, just to remember what he’s learned and then go from there.

  10. romans

    stupid info )
    info about TROYAK
    TROYAK works up and its very strong company)

    see y back

  11. AlphaCentauri

    If this was coordinated by law enforcement or a private security group, they might have chosen not to trumpet their success, knowing that Troyak could still find another upstream. They might want to hold off until there is more to celebrate. Or they might want to just have the private satisfaction of victory without giving the ZeuS operators anyone to target for the type of harassment they gave Roman Hüssy last year:
    http://voices.washingtonpost.com/securityfix/2009/05/zeustracker_and_the_nuclear_op.html

    But the fact that anyone cut off Troyak after allowing it to host criminals this long means that there has been a change in attitude affecting their upstream. There is one less bulletproof haven for companies like them. It means one less internet provider that doesn’t understand the difference between global free speech and operating a botnet that is used to commit crimes and trash people’s computers.

    As the legitimate companies become more knowledgeable and the criminals become sequestered to a few truly amoral hosts, it does become practical to talk about quarantining all traffic from those hosts.

  12. yep

    What it means, is that all the snake oil salesmen and rats you talk to still have jobs. Parasites of another culture.

  13. A

    Just picking nits…

    Brian, you have a global readership, so please don’t be lazy with locations! 😉

    “Andy Fried, owner of Deteque, a computer security consultancy in Alexandria, ” *Virginia/Egypt/?/*.

Comments are closed.