Wednesday, March 10, 2010

AS50215 Troyak-as Taken Offline, Zeus C&Cs Drop from 249 to 181

2nd update for Friday, March, 12, 2010 - Troyak-AS is down again - "This AS is not currently used to announce prefixes in the global routing table, nor is it used as a visible transit AS."

UPDATED: Friday, March, 12, 2010 - Troyak-AS peering courtesy of AS25189 - NLINE-AS JSC Nline. Since the entire Troyak-as takedown campaign is turning into an infinite loop, it's time for a "terminating condition".

2nd update for Thursday, March 11, 2010: Troyak-AS is back from the dead. Upstream courtesy of AS8342 - RTCOMM-AS RTComm.RU Autonomous System. The good news? Troyak's Zeus C&Cs are still offline.

UPDATED: Thursday, March 11, 2010 - TROYAK-AS Starchenko Roman Fedorovich is dead again - "This AS is not currently used to announce prefixes in the global routing table, nor is it used as a visible transit AS."

UPDATED: Troyak-as is now AS44051 YA-AS Professional Communication Systems.

AS50215 Troyak-as, the cybercrime-friendly virtual neighborhood that was a key component in the hosting infrastructure for all of the Zeus-crimeware serving campaigns during Q1 of 2010, has been taken offline, resulting in a pretty evident drop in Zeus C&Cs, according to this graph courtesy of the ZeusTracker.

AS50215 Troyak-as (ctlan.net; prombd.net) was of course the tip of the iceberg, directly or indirectly interacting with the following ASs:
  • AS31366 - smallshop-as Stebluk Vladimir Vladimirovich 
  • AS44107 - PROMBUDDETAL-AS Prombuddetal LLC 
  • AS50369 - VISHCLUB-as Kanyovskiy Andriy 
  • AS49934 - VVPN-AS PE Voronov Evgen Sergiyovich 
  • AS47560 - VESTEH-NET-as Vesteh LLC
Don't pop the corks just yet, their customers, in particular their money mule recruitment customers are already migrating to the competition.

From a cybercriminal's perspective, such minor operational glitches don't undermine the business model. Sadly, it's more cost-effective to build a new botnet, compared to trying to gain access to the old one. What truly undermines their business model is their inability to utilize the monetization vector.

AS50215 TROYAK-AS Starchenko Roman Fedorovich activity during Q1, 2010:
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
Keeping Money Mule Recruiters on a Short Leash - Part Two

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

No comments:

Post a Comment