After takedown, botnet-linked ISP Troyak resurfaces
- 11 March, 2010 10:48
- Comments
Last week FBI Director Robert Mueller called the fight against hackers "the cyber equivalent of cat-and-mouse." On Wednesday security experts trying to take down the Zeus botnet got a taste of what he meant.
Just hours after Internet service providers severed network connectivity to Troyak, an ISP associated with the Zeus botnet, the ISP has regained connectivity after peering with a new upstream Internet service provider.
"Don't worry, it is up and running again," Troyak spokesman Roman Starchenko said in an e-mail to IDG News Service. "We fixed our weakness and now it will become concrete stable."
He blamed the outage on an administrative error.
Security researchers confirmed Wednesday that Troyak was back online, after peering with an Internet service provider named Ya.
That means the 68 Zeus botnet command-and-control servers associated with Troyak can reconnect to hacked systems and issue new instructions. Disputing Starchenko's explanation, security experts say they had stopped that from happening by getting Troyak's upstream providers to stop peering with it, essentially isolating it from the rest of the Internet.
The person or group who knocked Troyak offline has asked to remain anonymous, according to several researchers familiar with the situation.
Zeus is a botnet kit used by a large number of cybercriminals. Researchers have counted 249 Zeus command-and-control servers to date. Another Internet service provider named Group 3 was also knocked offline Wednesday. It has not been reconnected, however.
The next step will be to "de-peer" Troyak from its new service provider, either an ISP named Nassist or its upstream provider, Hurricane Electric, said a researcher familiar with the matter who spoke via instant message on condition of anonymity.
The back and forth is reminiscent of the November 2008 takedown of San Jose, California, ISP McColo. When McColo went offline, a large percentage of the world's spam disappeared with it, but criminals were able to slowly regain control of their botnet networks, and spam levels returned.
That may well be what happens with Troyak, although some hope that won't be the case.
"We have taken some of their territory, they are trying to out flank us," the researcher said via IM. "We are going to win this one -- we have 'em boxed in."
Nominations for the 2012 ARN IT Industry Awards open on Tuesday, June 12.
- Bookmark this page
- Share this article
- Got more on this story? Email ARN
- Follow ARN on twitter
- Aberdeen Group: Building Business Resilience Through Active Archive
- In Search of the Long-Term Archiving Solution —Tape Continues to Be a Major Player
- In Search of the Long-Term Archiving Solution —Tape Delivers Significant TCO Advantage over Disk
- Spectra Logic and Australian National University Success Story - March 2012
- Red Light In the Control Centre Saves Hours of Chaos
-
Facebook could buy Nokia to build 'FacePhone', expert claims
-
It's not all Doom at new media conference
-
Tech Watch: Who watches the datacentre?
-
Facebook scammers host Trojan horse extensions on the Chrome Web Store
-
Webroot: Growth in security
Get exclusive access to ARN's news, research and invitation only events. 
Comments
Post new comment