I always check the ZeuS Tracker statistics to get some information about the trend of the active ZeuS Command&Control servers. This morning I was really surprised what I saw on the ZeuS Tracker statistic page:

As you can see in the chart above, on March 9th 2010, the number of active ZeuS C&C servers dropped from 249 to 181! The first thing I thought was: There has to be some problem with the ZeuS Tracker cron script. I checked the script – everything looked ok. So the massive drop of ZeuS C&C server is fact. I noticed that six of the worst ZeuS hosting ISP suddently dissapeared from the ZeuS Tracker.

I verified the subnets of the affected ISP and came to the conclusion that Troyak-as (AS50215), the upstream provider for the six worst ZeuS hosting ISPs, was cut from the internet on 2010-03-09. As a result, the following ISPs lost their internet connetivity which finally resulted in a massiv drop in the number of active ZeuS C&C servers:

In total, 68 went down – It was the biggest drop in number of ZeuS C&C servers I’ve ever seen! Some guys have done a great job

*** UPDATE 21:03 (UTC) ***
Bad news – it seem that TROYAK-AS has found a new upstream provider to serve their malware to the world:

Source: http://cidr-report.org/cgi-bin/as-report?as=AS50215

As you can see on Robtex, YA-AS has just one upstream provider called NASSIST-AS (AS29632). Let’s hope that this is just the last breath of TROYAK-AS and that NASSIST-AS will cut their peerings with YA-AS quickly.

*** STATUS 2010-03-11 07:15 (UTC) ***
I just took another look into the ZeuS Tracker statistics – the number of active ZeuS C&Cs is still falling! In total, I’ve counted 104 ZeuS C&C servers which are no longer reachable from the internet!

As mentioned on the last update from 21:03 UTC, Troyak just found a new upstream provider. This means: Troyak-AS is reconnected to the internet since yesterday. Anyway, I just checked the those ZeuS C&C servers which where routed by Troyak – all of them are still offline.

*** UPDATE 2010-03-11 11:50 (UTC) ***
It’s a very busy day – Troyak is trying hard to get back online. This morning they disappeared again from the global BGP routing table and are now being routed by RTCOMM-AS (AS8342 RTComm.RU), located in Russia:

*** UPDATE 2010-03-11 21:30 (UTC)
Bad news: Since Troyak started their peering with RTCOM-AS, the number of active ZeuS C&C servers has increasted from 149 up to 191. For now, more than 40 ZeuS C&C servers are back online! This means that the cybercriminals are now able to move the stolen data to a safe place or a backup server. Additionally, the cybercriminals are able to update their config files served to the infected clients to set up a fallback server (if Troyak will disappear from the internet again).

*** UPDATE 2010-03-12 11:10 (UTC) ***
Another update: Troyak has changed their upstream provider again and is now being routed by NLINE-AS (AS25189 – JSC Nline):

Further links

• ZeuS Tracker
• Robtex: Troyak-as Starchenko Roman Fedorovich
• Krebs on Security: Dozens of ZeuS Botnets Knocked Offline
• The Register: One-third of orphaned Zeus botnets find way home

Bookmark, tagg it or email it to a friend:

More »

View full post on abuse.ch

• Blog: Active Koobface C&C servers hit a record high – 200+ and counting
  As I was saying in the yesterday's blog post, we were expecting the number of Koobface C&C servers to start growing sometime this week View full post on Securelist / All Updates...
• AS50215 Troyak-as Taken Offline, Zeus C&Cs Drop from 249 to 181
  2nd update for Friday, March, 12, 2010 - Troyak-AS is down again - "This AS is not currently used to announce prefixes in the global routing table, nor is it used as a visible transit AS." UPDATED: ...
• PSN update now live across the U.S., go change your password now
  In case you missed it — and you very well might have considering what time this ball got rolling — Sony has officially flipped the switch on the PlayStation Network, restoring service in a limited...
• Rogue number crunching
  Researcher Patrick Jordan put together some statistics on the various Rogues he sees on a daily basis, and I thought it made for some interesting reading. How are the rogue AV products shaping up in...
• 2 DNS Name Servers of DNS.BE experienced unusual high workload
  DNS.BE, the Belgian organization that manages all registrations of domainnames under the .be TLD,  reported that the DNS name servers did get an unusual high workload, up to 6 times more queries than ...
• More on the “massive” SQL injection attack
  Alas, the news was published on April 1st. But it is not a joke. Curious, I spent a bit of time today researching it (when I really was supposed to be doing other things), and while the “lizamoon” ...
• Trend Micro Sinkholes and Eliminates a ZeuS Botnet C&C
  In February 2011, we successfully collaborated with CDMON, a registrar, to gain control of a ZeuS botnet command-and-control (C&C) server, thereby rendering it ineffective. Our success gave us the...
• ZeuS Source Code Already in the Wild
  For about two weeks now, the ZeuS source code has been making its way around to different people. Many people have been offering it up for sale on multiple forums, but lots of times it is only pieces ...
• ZeuS 2.0.8.9 and the Ghost Panel
  Before ZeuS author Monstr/Slavik handed over his source code to SpyEye author Harderman/Gribodemon, the last known ZeuS version was 2.0.8.9. The ZeuS crimeware, which exponentially grew in popularity ...
• Carberp hits ZeuS and AV software
  We have talked in the last blog post about how SpyEye trojan evolved during the time, illustrating some of its technical features and the encryption algorithm used by the trojan to decrypt the config...