Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zeus Botnet Dealt a Blow As ISPs Troyak, Group 3 Knocked Out

Posted by timothy on from the brief-respite-while-sauron-regroups dept.

itwbennett writes "Ninety of the 249 Zeus command-and-control servers were knocked offline overnight when two ISPs, named Troyak and Group 3, were taken offline. Whoever was behind the takedown 'just decided to knock out a large area of cyber-crime, and this was probably one of the easiest ways to do it,' said Kevin Stevens, a researcher with SecureWorks. As with the McColo takedown of just over a year ago, Troyak's upstream providers seem to have knocked it off the Internet, Cisco said in a statement. 'The ISP was "De-peered,"' Cisco said. 'Troyak's upstream network providers effectively pulled the plug on Troyak's router, refusing to transmit its traffic.'"

15 of 156 comments (clear)

  1. Good by drDugan · · Score: 5, Insightful

    What about the other 150?

    I have a difficult time understanding how Zeus is *still* around; it started in mid 2007! According to WP, it has more than 3.6 Million infected PCs.

    There is no reasonable stance that defends the existence or the activities of botnets either legally or morally. How is it that we know there are 150 other command nodes, presumably that we can also discover their IP addresses, but law enforcement has been unable to bring them down?

    While I understand there are differences in laws, and with what is legal and what is accepted in different jurisdictions, but this seems patently absurd. If an ISP provides service to a verified botnet control node, and refuses to quickly turn them off, I would expect immediate upstream action like this. Why hasn't this happened even more?

    1. Re:Good by c++0xFF · · Score: 4, Interesting

      From the article:

      Troyak is based in Kostanay, Kazakhstan, according to whois records.

      Taking down the servers is a political matter, not a technical one (in general). But I would imagine that clearly harboring illegal activity would be sufficient motivation for anybody. Imagine if we classified servers like we do countries that support terrorism?

      But even if we got all 249, it's like playing whack-a-mole or cutting off the head of a hydra.

    2. Re:Good by shentino · · Score: 4, Informative

      And for once it WOULD be a good idea.

      Just look at what happened to Blue Security. They put spam down so well that a pissed off spammer lobbed an electronic nuke at them.

      The guys that took out Blue were able to do so because they had a freaking ARMY of computers. An army, by the way, that they built up through illegal means. Now, accumulating firepower through theft, that does sound like a form of terrorism to me.

    3. Re:Good by hairyfeet · · Score: 4, Informative

      As a PC repairman allow me to explain why Zeus is still around, it is because the OEMs suck ass, that's why. You see ever since XP Sp2 (and some even earlier) the OEMs have been loading PCs with images that have the absolute worst default security policies you can possibly imagine, hell a junior HS student could do better. They set up an obvious username with no password, like "HP_User" and then go and turn autoupdates to OFF. In fact in 6 years I don't think I've seen an OEM PC with autoupdates activated. Just yesterday I had one cross my desk that the patches only went to SP2, that was...what 7 years ago? Hell no wonder there are so many botnets, the OEMs make it so any script kiddie can own millions of PCs!

      As for TFA, my guess is that many of the C&C servers are hosted in some idoncareistan, where a nice fat bribe will make all those problems go bye bye. Just look at Nigeria, where scamming is practically a noble profession. And it isn't like they can't find plenty of sleazeballs here in the USA that will be happy to do business with them as long as the money is green.

      Ultimately if we are gonna turn the tide I think it has to start with the OEMs before the customer ever picks up the PC. We need to demand some basic common sense, like having the user pick a password on first launch, having automatic updates set to on as default, and having some rules with regards to the crapware AVs they install, such as having it refuse to start if it is no longer good, so the user won't have a false sense of security. If I had my way it would give the user a list of AVs on first run, including free ones, like Windows 7 did on first start, but since I haven't had any OEM Windows 7 machines cross my desk yet I'm sure the OEMs disabled that as well. But expecting the customer to know their machine is crippled from the factory, as well as the steps to fix it, is just insane when so much can be done at the factory to negate this problem IMHO.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  2. Niney by jamesyouwish · · Score: 4, Funny

    Niney n. The amount of drinks it takes to say this word correctly.

  3. Words by Threni · · Score: 5, Insightful

    knocked offline...taken offline....takedown...knock out.......have knocked it off..."De-peered,"'...pulled the plug... refusing to transmit

    I'm sorry, you're going to have to repeat that; what happened? Were they somehow removed from the internet?

    1. Re:Words by chadenright · · Score: 5, Informative

      The Internet Service Providers providing internet service to the 90 zeus command nodes suddenly (and involuntarily) stopped providing internet service. TFA attributes this to "anonymous community action". Basically, someone got irritated at the bot net and blacked out a fair chunk of Kazakhstan in order to damage it.

    2. Re:Words by Anonymous Coward · · Score: 5, Funny

      Troyak and Group 3 were like car dealerships, who sold cars to evil customers, who ran car-botnets. The suppliers of Troyak and Group 3 decided to stop supplying cars to them, so they couldn't resell the cars.

    3. Re:Words by __aajfby9338 · · Score: 5, Funny

      this has to be the worst car analogy ever.

      You might say it's like the Yugo of car analogies.

  4. Internet Death Penalty by Anonymous Coward · · Score: 4, Informative

    Might as well call it by its name: Internet Death Penalty

  5. The short answer? Money. by khasim · · Score: 5, Insightful

    Why hasn't this happened even more?

    Because the spammers and such are paying good money for such "bullet-proof" hosting sites.

    Meanwhile, the more legitimate ISP's don't want to spend the money to block the command/control servers individually on their networks.

  6. Re:Niney!? by LikwidCirkel · · Score: 5, Funny

    It comes after atey and before teny

  7. Update: Troyak is back online by angry+tapir · · Score: 5, Informative

    According to this article: "Just hours after Internet service providers severed network connectivity to Troyak, an ISP associated with the Zeus botnet, the ISP has regained connectivity after peering with a new upstream Internet service provider."

  8. Re:Windows again by cdrguru · · Score: 5, Insightful

    The target is a "user". Anyone that doesn't understand system administration and security that is left alone with a computer can defeat anything that the OS does. If your grandma wants to install something like WeatherBug on Linux and the software to do this exists, she will succeed. If it requires root access and she has it, she will provide it in copious amounts for the malware application. Whatever is needed will be provided. Because she knows she wants to install this, for some utterly unknown reason.

    Now, if you have a computer that it is impossible for the user to install stuff on, well then you have a much more secure platform. Unfortunately, this requires an administrator for those cases where something is really needed and actually should be installed. Once the user and the administrator are the same person, you have just lost any semblance of security.

    99% of the Windows machines in homes out there do not have an administrator other than the user themselves. If these were magically replaced by Linux machines with the same administrator, this wouldn't solve anything. Sure, the user would need to do sudo or su in order to really screw things up, but if the application they thought they wanted to install asked for it, they would do it.

  9. Re:PININ' for the FJORDS?! by plover · · Score: 5, Funny

    Mr Praline walks into a datacenter.
    He walks to a desk where a sysadmin tries to hide below a tape rack.

    PRALINE: Hello, I wish to register a complaint... Hello? Miss?

    SYSADMIN: What do you mean, miss?

    PRALINE: Oh, I'm sorry, I have a cold. I wish to make a complaint.

    SYSADMIN: Sorry, we're closing for patch Tuesday.

    PRALINE: Never mind that my lad, I wish to make a complain about this hosting service what I leased not half an hour ago from this very datacenter.

    SYSADMIN: Oh yes, the Kazakhstan Big Blue Blade Server package. What's wrong with it?

    PRALINE: I'll tell you what's wrong with it. It's offline, that's what wrong with it.

    SYSADMIN: No, no it's connecting, look!

    PRALINE: Look my lad, I know a dead host when I ping one and I'm pingin' one right now.

    SYSADMIN: No, no sir, it's not dead. It's syncing.

    PRALINE: Syncing?

    SYSADMIN: Yeah, remarkable host the Kazakhstan Big Blue, beautiful rackmounting job, innit?

    PRALINE: The rackmountin' don't enter into it - it's stone dead.

    SYSADMIN: No, no - it's just syncing.

    PRALINE: All right then, if it's syncing I'll sync with it. (shouts into cabinet) Hello Khaki! I've got a nice piece of Cat 6 for you when you wake up, Khaki!

    SYSADMIN: (jogging rack) There it blinked.

    PRALINE: No it didn't. That was you yankin' the wire.

    SYSADMIN: I did not.

    PRALINE: Yes, you did. (unplugs wire from cabinet, shouts into the end of the ethernet cable) Hello Khaki, Khaki (whips it against counter) Khaki host, wake up. Khaki. (throws it in the air and lets it fall to the floor) Now that's what I call a dead host.

    SYSADMIN: No, no it's stunned.

    PRALINE: Look my lad, I've had just about enough of this. That host is definitely depeered. And when I leased it not half an hour ago, you assured me that its lack of connectivity wad due to it being tired and shagged out after delisting a porn site.

    SYSADMIN: It's probably pining for the fjords.

    PRALINE: Pining for the fjords, what kind of talk is that? Look, why did it refuse to connect the moment I got home?

    SYSADMIN: The Kazakhstan Big Blue prefers connecting via SSL. Beautiful host, lovely rackmounting.

    PRALINE: Look, I took the liberty of examining that host, and I discovered that the only reason that its lights were blinking in the first place was that there was a flashlight taped inside the case.

    SYSADMIN: Well of course it was taped there. Otherwise it would roll out the back and voom.

    PRALINE: Look matey (picks up cable) this host wouldn't voom if I put four thousand volts through it. It's bleeding offline.

    SYSADMIN: It's not, it's pining.

    PRALINE: It's not pining, it's unplugged. This host is no more. It has ceased to be. Its license has expired. This is a late host. It's a brick. Bereft of electrons, it rests in peace. And if you hadn't taped a flashlight inside the case, the only cycles it would ever see from here on out are re-cyclers. It's dropped out of DNS and unjoined the internet invisible. This is an ex-host.

    SYSADMIN: Well, I'd better replace it then.

    PRALINE: (to camera) If you want to get anything done in this country you've got to complain till you're blue in the mouth.

    SYSADMIN: Sorry guv, we're right out of blade servers.

    PRALINE: I see. I see. I get the picture.

    SYSADMIN: I've got a PC running Windows.

    PRALINE: Does it scale?

    SYSADMIN: Not really, no.

    PRALINE: Well, it's scarcely a replacement, then is it?

    --
    John