Tag Archive for 'ZeuS'

Page 5 of 11

Massive Drop in Number of Active Zeus C&C Servers

I always check the ZeuS Tracker statistics to get some information about the trend of the active ZeuS Command&Control servers. This morning I was really surprised what I saw on the ZeuS Tracker statistic page:

Massive drop of active ZeuS C&C servers on 2010-03-09

As you can see in the chart above, on March 9th 2010, the number of active ZeuS C&C servers dropped from 249 to 181! The first thing I thought was: There has to be some problem with the ZeuS Tracker cron script. I checked the script – everything looked ok. So the massive drop of ZeuS C&C server is fact. I noticed that six of the worst ZeuS hosting ISP suddently dissapeared from the ZeuS Tracker.

I verified the subnets of the affected ISP and came to the conclusion that Troyak-as (AS50215), the upstream provider for the six worst ZeuS hosting ISPs, was cut from the internet on 2010-03-09. As a result, the following ISPs lost their internet connetivity which finally resulted in a massiv drop in the number of active ZeuS C&C servers:

AS number: AS50390
AS name: SMILA-AS Pavlenko Tetyana Oleksandrivna
Status: Withdrawn
# of ZeuS C&Cs: 17
Spamhaus SBL: Not listed

AS number AS42229
AS name: MARIAM-AS PP Mariam
Status: Withdrawn
# of ZeuS C&Cs: 18
Spamhaus SBL: #SBL86729

AS number: AS49934
AS name: VVPN-AS PE Voronov Evgen Sergiyovich
Status: Withdrawn
# of ZeuS C&Cs: 8
Spamhaus SBL: #SBL82374

AS number: AS44107
AS name: PROMBUDDETAL-AS Prombuddetal LLCst
Status: Withdrawn
# of ZeuS C&Cs: 5
Spamhaus SBL: #SBL82408

AS number: AS50033
Status: Withdrawn
# of ZeuS C&Cs: 8
Spamhaus SBL: #SBL85667

AS number: AS12604
AS name: CITYGAME-AS Kamushnoy Vladimir Vasulyovich
Status: Withdrawn
# of ZeuS C&Cs: 12
Spamhaus SBL: #SBL81900

In total, 68 went down – It was the biggest drop in number of ZeuS C&C servers I’ve ever seen! Some guys have done a great job 😀

*** UPDATE 21:03 (UTC) ***
Bad news – it seem that TROYAK-AS has found a new upstream provider to serve their malware to the world:

AS50215 TROYAK-AS Starchenko Roman Fedorovich

Upstream Adjacent AS list
AS44051 YA-AS Professional Communication Systems

Source: http://cidr-report.org/cgi-bin/as-report?as=AS50215

As you can see on Robtex, YA-AS has just one upstream provider called NASSIST-AS (AS29632). Let’s hope that this is just the last breath of TROYAK-AS and that NASSIST-AS will cut their peerings with YA-AS quickly.

*** STATUS 2010-03-11 07:15 (UTC) ***
I just took another look into the ZeuS Tracker statistics – the number of active ZeuS C&Cs is still falling! In total, I’ve counted 104 ZeuS C&C servers which are no longer reachable from the internet!

ZeuS Tracker statistics as of 2010-03-11

As mentioned on the last update from 21:03 UTC, Troyak just found a new upstream provider. This means: Troyak-AS is reconnected to the internet since yesterday. Anyway, I just checked the those ZeuS C&C servers which where routed by Troyak – all of them are still offline.

*** UPDATE 2010-03-11 11:50 (UTC) ***
It’s a very busy day – Troyak is trying hard to get back online. This morning they disappeared again from the global BGP routing table and are now being routed by RTCOMM-AS (AS8342 RTComm.RU), located in Russia:

AS50215 TROYAK-AS Starchenko Roman Fedorovich

Upstream Adjacent AS list
AS8342 RTCOMM-AS RTComm.RU Autonomous System

*** UPDATE 2010-03-11 21:30 (UTC)
Bad news: Since Troyak started their peering with RTCOM-AS, the number of active ZeuS C&C servers has increasted from 149 up to 191. For now, more than 40 ZeuS C&C servers are back online! This means that the cybercriminals are now able to move the stolen data to a safe place or a backup server. Additionally, the cybercriminals are able to update their config files served to the infected clients to set up a fallback server (if Troyak will disappear from the internet again).

*** UPDATE 2010-03-12 11:10 (UTC) ***
Another update: Troyak has changed their upstream provider again and is now being routed by NLINE-AS (AS25189 – JSC Nline):

AS50215 TROYAK-AS Starchenko Roman Fedorovich

Upstream Adjacent AS list
AS25189 NLINE-AS JSC Nline

Further links

Source of badness: Group Vertical Ltd (AS49365)

I’m watch the growth of bandess from AS49365 aka “Group Vertical Ltd” (GR-VERTICAL-AS) for the past couple of months. As you can see on robtex, the subnet owned by this AS is just very small. It has a size of 256 IP addresses (

Brief information
Member of as-fiord
Number of originated prefixes: 1
Regions: 1
IP numbers: 256
Unique IP numbers: 256
Overlapping IP numbers: 0

Source: www.robtex.com/as/as49365.html

If you Google AS49365, you will only find a very small numbers of reports concerning abuse comming from this AS. So normaly I would think, that there is nothing to worry about… but fact is: AS49365 is currently Top ZeuS hosting ISP:

ZeuS command&control server hosted on AS49365
Source: zeustracker.abuse.ch/monitor.php?as=49365

There are currently 32 malicious ZeuS Command&Control server (C&C) in this AS tracked by ZeuS Tracker – 25 of them are currently active.

Let’s try to get some more information about this ISP:

aut-num: AS49365
descr: Group Vertical Ltd
import: from AS44146 action pref=100; accept {}
import: from AS12360 action pref=100; accept {}
export: to AS44146 announce AS49365
export: to AS12360 announce AS49365
admin-c: VN840-RIPE
tech-c: VN840-RIPE
notify: registry(at)citytelecom.ru
mnt-routes: VERTICAL-MNT
changed: hostmaster(at)ripe.net 20090527
source: RIPE

Group Vertical Ltd has its upstream on JSC “TRC FIORD” (Fiord-AS), a Russian ISP located in Moscow, which is offering Internet connections, web-hosting and colocation services:

AS49365 upstream
Source: www.robtex.com/as/as49365.html

The subnet ( was allocated by Group Vertical on 2009-05-26.
But this AS wasn’t always rogue: Most of those ZeuS command&control servers started to show up in this AS between August 2009 and October 2009.

And now the million dollar question: Why has this AS just started to hosting so much garbage in August 2009?

The answer seems to be the fact that the Latvian ISP JUNIK-RIGA-LV has just cut-off its downstream connection to the well known rogue ISP Real Host on August 3rd, which have hosted more then 20 ZeuS command&control servers. So the bad guys had to look for a new home for their crap – and have found Group Vertical.