UPDATED: Friday, March, 12, 2010 - Troyak-AS peering courtesy of AS25189 - NLINE-AS JSC Nline. Since the entire Troyak-as takedown campaign is turning into an infinite loop, it's time for a "terminating condition".
2nd update for Thursday, March 11, 2010: Troyak-AS is back from the dead. Upstream courtesy of AS8342 - RTCOMM-AS RTComm.RU Autonomous System. The good news? Troyak's Zeus C&Cs are still offline.
UPDATED: Thursday, March 11, 2010 - TROYAK-AS Starchenko Roman Fedorovich is dead again - "This AS is not currently used to announce prefixes in the global routing table, nor is it used as a visible transit AS."
UPDATED: Troyak-as is now AS44051 YA-AS Professional Communication Systems.
AS50215 Troyak-as, the cybercrime-friendly virtual neighborhood that was a key component in the hosting infrastructure for all of the Zeus-crimeware serving campaigns during Q1 of 2010, has been taken offline, resulting in a pretty evident drop in Zeus C&Cs, according to this graph courtesy of the ZeusTracker.
AS50215 Troyak-as (ctlan.net; prombd.net) was of course the tip of the iceberg, directly or indirectly interacting with the following ASs:
- AS31366 - smallshop-as Stebluk Vladimir Vladimirovich
- AS44107 - PROMBUDDETAL-AS Prombuddetal LLC
- AS50369 - VISHCLUB-as Kanyovskiy Andriy
- AS49934 - VVPN-AS PE Voronov Evgen Sergiyovich
- AS47560 - VESTEH-NET-as Vesteh LLC
From a cybercriminal's perspective, such minor operational glitches don't undermine the business model. Sadly, it's more cost-effective to build a new botnet, compared to trying to gain access to the old one. What truly undermines their business model is their inability to utilize the monetization vector.
AS50215 TROYAK-AS Starchenko Roman Fedorovich activity during Q1, 2010:
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
Keeping Money Mule Recruiters on a Short Leash - Part Two
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.