Security professionals may have celebrated prematurely this week, when it was reported the Zeus botnet had been “killed”. The Trojan family was widely used by cyber criminals to target victims with data-stealing malware.
Troyak.org, an Internet service provider (ISP) registered by Starchenko Roman Fedorovich, which harbours servers that control spam and malware botnets, went down temporarily on Tuesday. Troyak is believed to host a quarter of the command-and-control servers that connect to Zeus-infected computers.
“On 9 March, Troyak, which was providing ISP services for a number of other smaller ISPs, which hosted Zeus botnet control centres, went offline,” says Costin Raiu, chief security expert, EMEA, global research and analysis team at Kaspersky Lab. “Troyak's link to the Internet was cut off, hence a part of the botnet became headless,” he explains.
He says this resulted in a significant drop in the number of servers controlling the botnet, causing an impaired operation of the cyber criminal gang behind Zeus.
However, Raiu says, on 10 March, Troyak found another upstream provider, which connected its address space to the Internet, which means all the disconnected Zeus control centres are back online.
“Zeus remains a serious threat,” continues Raiu. “It should be noted that the disconnect of Troyak from the Internet - while it did affect the operation of the botnet - didn't shut it down completely. Even without Troyak, the botnet was working, even if partially. This happens because cyber criminals distribute their control centres between different ISPs precisely to avoid such situations.”
He says users should protect themselves by following standard security practices. “Install and use a reliable Internet security suite, and keep Windows updated. In addition, keep all third-party applications updated; in particular, Adobe Reader, MS Office and Adobe Flash Player. Lastly, do not open suspicious attachments.”
Share