ISPs takedown Zeus botnet, but hackers reconnect
ISP Troyak has returned connectivity to Zeus servers
By Robert McMillan | Published: 09:55, 11 March 2010
Last week FBI Director Robert Mueller called the fight against hackers "the cyber equivalent of cat-and-mouse." On Wednesday security experts trying to take down the Zeus botnet got a taste of what he meant.
Just hours after Internet service providers severed network connectivity to Troyak, an ISP associated with the Zeus botnet, the ISP has regained connectivity after peering with a new upstream Internet service provider.
"Don't worry, it is up and running again," Troyak spokesman Roman Starchenko said in an email to IDG News Service. "We fixed our weakness and now it will become concrete stable."
Related Articles on Techworld
He blamed the outage on an administrative error.
Security researchers confirmed that Troyak was back online, after peering with an Internet service provider named Ya.
That means the 68 Zeus botnet command-and-control servers associated with Troyak can reconnect to hacked systems and issue new instructions. Disputing Starchenko's explanation, security experts say they had stopped that from happening by getting Troyak's upstream providers to stop peering with it, essentially isolating it from the rest of the Internet.
The person or group who knocked Troyak offline has asked to remain anonymous, according to several researchers familiar with the situation.
Zeus is a botnet kit used by a large number of cybercriminals. Researchers have counted 249 Zeus command-and-control servers to date. Another Internet service provider named Group 3 was also knocked offline Wednesday. It has not been reconnected, however.
The next step will be to "de-peer" Troyak from its new service provider, either an ISP named Nassist or its upstream provider, Hurricane Electric, said a researcher familiar with the matter who spoke via instant message on condition of anonymity.
The back and forth is reminiscent of the November 2008 takedown of San Jose, California, ISP McColo. When McColo went offline, a large percentage of the world's spam disappeared with it, but criminals were able to slowly regain control of their botnet networks, and spam levels returned.
That may well be what happens with Troyak, although some hope that won't be the case.
"We have taken some of their territory, they are trying to out flank us," the researcher said via IM. "We are going to win this one - we have 'em boxed in."
