NB: This story has been updated several times. Please read through to the end
Security experts are tracking a massive drop in the global number of control servers for various ZeuS botnets that are online, suggesting that a coordinated takedown effort may have been executed by law enforcement and/or volunteers from the security research community acting in tandem.
Sold for anywhere from $300-$2,000 in shadowy underground forums, ZeuS is a software kit that allows criminals to set up distributed networks of hacked PCs, usually for the purposes of siphoning user names, passwords and financial data from victim computers. A criminal operating a ZeuS botnet can control the systems from afar using a central “command and control” (C&C) server, and it is not uncommon for a single ZeuS C&C server to control tens of thousands of infected hosts. In most cases, the infected PCs continuously upload the victim’s personal data to so-called “drop servers,” or data repositories online that are specified by the criminal controlling the ZeuS botnet.
According to Roman Hüssy, the Swiss information technology expert who runs ZeusTracker – probably the most comprehensive site that tracks ZeuS activity — on the evening of Mar. 9, the number of active ZeuS C&C servers he was tracking fell instantly from 249 to 181.
In an online chat conversation with Krebs on Security, Hüssy said the average ZeuS C&C he tracks has anywhere from 20,000 to 50,000 unique infected computers under its thumb. That means this takedown may have had a massive impact on a large number of criminal operations. For starters, even if we take a conservative estimate, and assume that each of the C&Cs knocked offline controlled just 25,000 PCs, that would mean more than 1.7 million infected systems were released from ZeuS captivity by this apparently coordinated takedown.
Hüssy said the individual machines are still infected with ZeuS, but he doubts the criminals who previously controlled them will be able to recapture those systems. Hüssy said given that the ISPs that were disconnected had a reputation as “bulletproof” — or immune to takedown by law enforcement — the criminals running their ZeuS controllers there probably did not think to place backup servers at other ISPs.
According to Hüssy’s data, the outage began after an Internet service provider called Troyak and apparently situated in Kazakhstan was disconnected from its upstream Internet providers. Troyak served at least six other smaller networks that Hussy said were also were home to a large number of ZeuS C&Cs, and those networks also were impacted by Troyak’s demise.
It’s not clear who or what is responsible for this episode. But one thing is clear: Someone or something is directly taking on the infrastructure used to distribute and control hundreds of ZeuS botnets around the globe.
The malicious software that installs ZeuS on victim PCs is most often distributed via spam, which frequently takes the lure of a spoofed e-mail from the Internal Revenue Service, Facebook, and other well-known organizations. The messages typically include a link to a site that attempts — by exploiting software vulnerabilities or by tricking the user — into installing a small program that lets the attackers seize control over the systems remotely.
Andy Fried, owner of Deteque, a computer security consultancy in Alexandria, Va., has been tracking ZeuS related spam and ZeuS related domains for many months now. The ZeuS gangs he has been fighting have for more than a year now been blasting out ZeuS primarily using the Pushdo botnet, another massive grouping of hacked machines that experts have shown is available for rent on criminal forums to vetted spammers and other miscreants.
Fried said the ZeuS gangs he’s been tracking launch a new spam campaign every few days. But on Feb. 27th, the spam pushing ZeuS abruptly stopped, and hasn’t resumed since, Fried said.
“Nobody seems to understand why yet,” said Fried, a former cyber fraud investigator with the IRS. “All I know is since the 27th, we’ve seen none of our traditional ZeuS spam. I mean, we’ve seen them take breaks before, but nothing at all like this.”
More to come. Stay tuned.
Update, 12:10 p.m. ET: Paul Ferguson, a threat researcher from Trend Micro, pinged me to say that that the satellite hosting providers linked to Troyak were located in Russia and Ukraine, not Kazakhstan, as MaxMind’s IP address locator service suggests.
Update, 4:36 p.m. ET: Sadly, it appears that Troyak — the Internet provider that played host to all these ZeuS-infested networks that got knocked offline yesterday — has since found another upstream provider to once again connect it to the rest of the Internet.
Update, Mar. 11, 5:48 p.m. ET: Zeustracker recently posted this update to its site: Bad news: Since Troyak started their peering with RTCOM-AS, the number of active ZeuS C&C servers has increasted from 149 up to 191. For now, more than 40 ZeuS C&C servers are back online! This means that the cybercriminals are now able to move the stolen data to a safe place or a backup server. Additionally, the cybercriminals are able to update their config files served to the infected clients to set up a fallback server (if Troyak will disappear from the internet again).