Tag Archive for 'GROUP3-AS'

Massive Drop in Number of Active Zeus C&C Servers

I always check the ZeuS Tracker statistics to get some information about the trend of the active ZeuS Command&Control servers. This morning I was really surprised what I saw on the ZeuS Tracker statistic page:


Massive drop of active ZeuS C&C servers on 2010-03-09

As you can see in the chart above, on March 9th 2010, the number of active ZeuS C&C servers dropped from 249 to 181! The first thing I thought was: There has to be some problem with the ZeuS Tracker cron script. I checked the script – everything looked ok. So the massive drop of ZeuS C&C server is fact. I noticed that six of the worst ZeuS hosting ISP suddently dissapeared from the ZeuS Tracker.

I verified the subnets of the affected ISP and came to the conclusion that Troyak-as (AS50215), the upstream provider for the six worst ZeuS hosting ISPs, was cut from the internet on 2010-03-09. As a result, the following ISPs lost their internet connetivity which finally resulted in a massiv drop in the number of active ZeuS C&C servers:

AS number: AS50390
AS name: SMILA-AS Pavlenko Tetyana Oleksandrivna
Subnet: 193.105.0.0/24
Status: Withdrawn
# of ZeuS C&Cs: 17
Spamhaus SBL: Not listed

AS number AS42229
AS name: MARIAM-AS PP Mariam
Subnet: 91.201.196.0/22
Status: Withdrawn
# of ZeuS C&Cs: 18
Spamhaus SBL: #SBL86729

AS number: AS49934
AS name: VVPN-AS PE Voronov Evgen Sergiyovich
Subnet: 193.104.41.0/24
Status: Withdrawn
# of ZeuS C&Cs: 8
Spamhaus SBL: #SBL82374

AS number: AS44107
AS name: PROMBUDDETAL-AS Prombuddetal LLCst
Subnet: 91.201.28.0/22
Status: Withdrawn
# of ZeuS C&Cs: 5
Spamhaus SBL: #SBL82408

AS number: AS50033
AS name: GROUP3-AS GROUP 3 LLC.
Subnet: 193.104.94.0/24
Status: Withdrawn
# of ZeuS C&Cs: 8
Spamhaus SBL: #SBL85667

AS number: AS12604
AS name: CITYGAME-AS Kamushnoy Vladimir Vasulyovich
Subnet: 193.104.27.0/24
Status: Withdrawn
# of ZeuS C&Cs: 12
Spamhaus SBL: #SBL81900

In total, 68 went down – It was the biggest drop in number of ZeuS C&C servers I’ve ever seen! Some guys have done a great job :D

*** UPDATE 21:03 (UTC) ***
Bad news – it seem that TROYAK-AS has found a new upstream provider to serve their malware to the world:

AS50215 TROYAK-AS Starchenko Roman Fedorovich

Upstream Adjacent AS list
AS44051 YA-AS Professional Communication Systems

Source: http://cidr-report.org/cgi-bin/as-report?as=AS50215

As you can see on Robtex, YA-AS has just one upstream provider called NASSIST-AS (AS29632). Let’s hope that this is just the last breath of TROYAK-AS and that NASSIST-AS will cut their peerings with YA-AS quickly.

*** STATUS 2010-03-11 07:15 (UTC) ***
I just took another look into the ZeuS Tracker statistics – the number of active ZeuS C&Cs is still falling! In total, I’ve counted 104 ZeuS C&C servers which are no longer reachable from the internet!


ZeuS Tracker statistics as of 2010-03-11

As mentioned on the last update from 21:03 UTC, Troyak just found a new upstream provider. This means: Troyak-AS is reconnected to the internet since yesterday. Anyway, I just checked the those ZeuS C&C servers which where routed by Troyak – all of them are still offline.

*** UPDATE 2010-03-11 11:50 (UTC) ***
It’s a very busy day – Troyak is trying hard to get back online. This morning they disappeared again from the global BGP routing table and are now being routed by RTCOMM-AS (AS8342 RTComm.RU), located in Russia:

AS50215 TROYAK-AS Starchenko Roman Fedorovich

Upstream Adjacent AS list
AS8342 RTCOMM-AS RTComm.RU Autonomous System

*** UPDATE 2010-03-11 21:30 (UTC)
Bad news: Since Troyak started their peering with RTCOM-AS, the number of active ZeuS C&C servers has increasted from 149 up to 191. For now, more than 40 ZeuS C&C servers are back online! This means that the cybercriminals are now able to move the stolen data to a safe place or a backup server. Additionally, the cybercriminals are able to update their config files served to the infected clients to set up a fallback server (if Troyak will disappear from the internet again).

*** UPDATE 2010-03-12 11:10 (UTC) ***
Another update: Troyak has changed their upstream provider again and is now being routed by NLINE-AS (AS25189 – JSC Nline):

AS50215 TROYAK-AS Starchenko Roman Fedorovich

Upstream Adjacent AS list
AS25189 NLINE-AS JSC Nline

Further links




economics-recluse
Scene
Urgent!