Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

After weeklong fight, rogue ISP Troyak struggles for life

Security experts say Troyak provides back-end support for the notorious Zeus malware

After an international take-down effort, a rogue ISP responsible for controlling large numbers of computers infected with data-stealing code is down for the moment, but it may be reconnecting with the Internet, according to security researchers.

Troyak, which is believed to be based in eastern Europe, was knocked offline earlier this month after other networks supplying its connectivity to the Internet stopped carrying its traffic due to complaints it was complicit in cybercrime.

Since then the network has fought a cat-and-mouse game with network providers in 12 countries and international law enforcement, according to Jart Armin, the pseudonymous editor of the Hostexploit.com Web site, which has been involved in the action.

"Troyak is still fighting hard, as it is the only link to the outside Internet for a few [criminal groups]," he said in an e-mail interview.

Troyak and another ISP, Group 3, provided connectivity for 90 of 249 servers used to control Zeus, a sophisticated piece of malware that steals financial credentials and other data. Group 3 has also been disconnected.

At this point, Troyak's reputation is so sullied that it is becoming difficult for it to find other ISPs to carry its traffic on the Internet.

That's an important point, because for Troyak to resume operations, it must find another company or organization that it can peer with in order to be reconnected to the Internet. Currently, even with Troyak offline, there are still 180 Zeus command-and control servers online, Armin said. Most of these are located in Russia and the Ukraine, however, making it easier for security researchers and law enforcement to stay on top of the problem.

"They're being pushed back into their own territory," Armin said.

On Sunday night, Troyak operators apparently hacked into servers in Latvia to get connectivity via an academic network in the country. But that effort was shut down with the help of Latvian law enforcement, Armin said.

On Monday, it appeared Troyak had peered with two upstream providers, wrote Mary Landesman, senior security researcher at ScanSafe, which is owned by Cisco Systems.

But that action appeared to be temporary, and as of Wednesday, Troyak was dead.

"Troyak seems to be down," said an administrator for Zeus Tracker. "And I believe that it won't come up again. Every ISP knows that Troyak is bad and won't peer/route their badness."

But there are signs its operators are making efforts to be reconnected. Computer security experts such as Joze Nazario of Arbor Networks are watching real-time routing tables, which show how Internet traffic is exchanged between ISPs and networks.

An entity called SAINTVPN is now carrying some of the traffic that used to be on Troyak, Nazario said.

SAINTVPN, which lists its location as St. Petersburg, Russia, was set up after the take-down effort and immediately started serving Zeus command-and-control commands, Armin said.

Security experts suspect that Troyak's operators have set up shop under a new name in order to secure a peering agreement with another network that is unaware of the name change.

In theory, it is possible that Troyak's servers could be available through SAINTVPN, but "we don't know if they are shuttered. We don't know if they are trying to find new upstream," Nazario said.

When networks agree to carry each other's traffic, they typically create some business agreement. But it's unknown what sort of business arrangement Troyak may have with SAINTVPN, Nazario said.

"It's an incredibly fluid situation," he said.

According to Armin, the other networks that are still actively hosting core Zeus command-and-control servers are:

AS # Name

49093 BIGNESS-GROUP-AS

24826 KHARKOV-TERMINALS-AS PE

29106 VOLGAHOST-AS PE

50369 VISHCLUB-AS

44557 DRAGONARA

49314 NEVAL PE

13727 ND-CA-ASN

47781 ANSUA-AS PE

29371 GAZTRANZITSTROYINFO-AS

49365 GR-VERTICAL-AS

47434 FORTUNE-AS

47821 BOGONET-AS PE

34305 EUROACCESS

50678 SAINTVPN-AS

"If we get all these, then Zeus will be toothless," Armin said.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Arbor Networks, CA Technologies, Cisco, Cisco Systems
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: isp, malware, security, Zues
Latest Blog Posts
Whitepapers
  • Three simple steps to better patch security
    It’s estimated that 90% of successful attacks against software vulnerabilities could be prevented with an existing patch or configuration setting. Yet patching is a persistent challenge for IT managers. With the glut of patches released each year, how do you know which ones are truly critical security patches and which ones aren’t? And how can you identify which computers are actually missing the patches they need? This paper details a simple approach to patching that gives you better visibility into and control over patch assessment and compliance.
    Learn more »
  • Case Study: Danske Bank Group improves efficiency and reduces time to market
    Danske Bank Group wanted to deliver new services faster. It sought to reduce time to market from approximately 14 months to nine months and increase IT development efficiency by 10 percent. Find out more.
    Learn more »
  • Oracle Database 11g Product Family
    Oracle Database 11g is available in a variety of editions tailored to meet the business and IT needs of all organisations. This paper outlines the features and options available with each edition of Oracle Database 11g. Read on for more details.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments