Security researchers thought they had an opportunity to take down the ZeuS botnet, one of the largest on the planet, by cutting off connectivity to the Kazakstan Internet service provider AS Troyak, which provided network services to six ISPs hosting Zeus command-and-control servers. And when researchers pulled the plug, the initial reaction looked promising: up to 25 percent of the ZeuS botnet’s systems appeared to go offline overnight. But 24 hours later, it looks like the botnet operators are largely back in control, and ZeuS is continuing to operate.
No one knows how large the ZeuS botnet is, but estimates place it in the millions of machines. ZeuS’s primary purpose is usually to steal passwords and bank login credentials. Cisco researchers indicated that as many as 68 command-and-control servers for the ZeuS botnet were taken down; however, within 24 hours it appeared most of ZueS’s command infrastructure was back online via new network providers. Cisco noted that there was a spike in traffic to the targeted servers the weekend before the takedown, which might have indicated the botnet operators had advance warning they were going to lose connectivity.
Botnets are comprised of machines infected by malware which can be controlled from a remote source via the Internet; botnets typically spread via malware on Web sites, social networking services, and email: once infected, botnet controllers can then use the infected machine to send spam and additional malware. They can also scan the data on the infected machines and log users’ activity, scanning for passwords, account numbers, and other sensitive information. For Windows users, the best defense against botnets and other malware is a reliable, up-to-date antivirus and security software package.
The AS Troyak takedown was intended to sever the connection between infected computers and the Internet-based machines that controlled them.
The takedown-and-recovery of the ZueS botnet highlights the cat-and-mouse nature of security researchers’ and law enforcements’ battle with cybercriminals and botnet operators. Even when command-and-control systems can be isolated from the botnets they control, online criminals are often and to shift their operations and resume control of infected machines in a short period of time.
[Chart from ZueSTracker at www.abuse.ch.]