Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zeus Botnet Dealt a Blow As ISPs Troyak, Group 3 Knocked Out

Posted by timothy on from the brief-respite-while-sauron-regroups dept.

itwbennett writes "Ninety of the 249 Zeus command-and-control servers were knocked offline overnight when two ISPs, named Troyak and Group 3, were taken offline. Whoever was behind the takedown 'just decided to knock out a large area of cyber-crime, and this was probably one of the easiest ways to do it,' said Kevin Stevens, a researcher with SecureWorks. As with the McColo takedown of just over a year ago, Troyak's upstream providers seem to have knocked it off the Internet, Cisco said in a statement. 'The ISP was "De-peered,"' Cisco said. 'Troyak's upstream network providers effectively pulled the plug on Troyak's router, refusing to transmit its traffic.'"

9 of 156 comments (clear)

  1. Good by drDugan · · Score: 5, Insightful

    What about the other 150?

    I have a difficult time understanding how Zeus is *still* around; it started in mid 2007! According to WP, it has more than 3.6 Million infected PCs.

    There is no reasonable stance that defends the existence or the activities of botnets either legally or morally. How is it that we know there are 150 other command nodes, presumably that we can also discover their IP addresses, but law enforcement has been unable to bring them down?

    While I understand there are differences in laws, and with what is legal and what is accepted in different jurisdictions, but this seems patently absurd. If an ISP provides service to a verified botnet control node, and refuses to quickly turn them off, I would expect immediate upstream action like this. Why hasn't this happened even more?

    1. Re:Good by Attila+Dimedici · · Score: 3, Insightful

      Any system that can reliably take botnets offline can also be (mis)used to reliably take something like wikileaks offline.

      --
      The truth is that all men having power ought to be mistrusted. James Madison
    2. Re:Good by jd2112 · · Score: 3, Insightful

      There is no reasonable stance that defends the existence or the activities of botnets either legally or morally.

      "We can make money off of it" seems to work for a lot of people.

      --
      Any insufficiently advanced magic is indistinguishable from technology.
    3. Re:Good by HungryHobo · · Score: 3, Insightful

      Ya I'm not really seeing the victory here.

      If 90 of their command and control servers are knocked off can't they just push an update out through one of their other 159 command servers to the botnet to add another 1000 potential command and control servers scattered around the internet?

  2. Words by Threni · · Score: 5, Insightful

    knocked offline...taken offline....takedown...knock out.......have knocked it off..."De-peered,"'...pulled the plug... refusing to transmit

    I'm sorry, you're going to have to repeat that; what happened? Were they somehow removed from the internet?

    1. Re:Words by Angst+Badger · · Score: 3, Insightful

      TFA attributes this to "anonymous community action".

      Of which there might be more if someone would be thoughtful enough to publicly post the IP addresses of the command and control nodes of major botnets on a regular basis.

      --
      Proud member of the Weirdo-American community.
  3. The short answer? Money. by khasim · · Score: 5, Insightful

    Why hasn't this happened even more?

    Because the spammers and such are paying good money for such "bullet-proof" hosting sites.

    Meanwhile, the more legitimate ISP's don't want to spend the money to block the command/control servers individually on their networks.

  4. Re:Windows again by cdrguru · · Score: 5, Insightful

    The target is a "user". Anyone that doesn't understand system administration and security that is left alone with a computer can defeat anything that the OS does. If your grandma wants to install something like WeatherBug on Linux and the software to do this exists, she will succeed. If it requires root access and she has it, she will provide it in copious amounts for the malware application. Whatever is needed will be provided. Because she knows she wants to install this, for some utterly unknown reason.

    Now, if you have a computer that it is impossible for the user to install stuff on, well then you have a much more secure platform. Unfortunately, this requires an administrator for those cases where something is really needed and actually should be installed. Once the user and the administrator are the same person, you have just lost any semblance of security.

    99% of the Windows machines in homes out there do not have an administrator other than the user themselves. If these were magically replaced by Linux machines with the same administrator, this wouldn't solve anything. Sure, the user would need to do sudo or su in order to really screw things up, but if the application they thought they wanted to install asked for it, they would do it.

  5. And these ISP's other customers...? by J'raxis · · Score: 3, Insightful

    There seems to be an implication that Troyak and Group 3 were somehow complicit with all this botnet activity, yet no such claims are actually being explicitly made - just that the ISPs have been "associated" with these botnets, whatever that means.

    Did these ISPs have legitimate customers who have now been cut off because of the criminals alongside them on the ISP's network? Was the ISP asked to deal with the situation first, and either ignored or refused such requests? If these ISPs were fronts for the botnet owners, where's the evidence? Did someone just think, oh, there are a bunch of bad guys on this ISP; let's cut the whole thing off and fuck the rest of their customers?

    This action sounds like the IT equivalent of a government blowing up an entire city block because a couple terrorists are renting an apartment there.

    If these ISPs have legitimate customers, hopefully they sue the hell out of the upstream for this.

    --
    Liberty in your lifetime