Malware-Serving ISP Taken Down, Researchers Say

A network frequently used for malware delivery was shut down last night, probably against the will of its operators.

Troyak.org, a Kazakhstani "Internet service provider" well-known for serving Zeus botnets and other malware delivery methods, went dark overnight, resulting in the shutdown of as many as 25 percent of the world's Zeus botnets, according to researchers at Cisco's ScanSafe and RSA's FraudAction security research units.

The two groups of researchers did not definitively agree on the cause of the outage, but they agreed one likely source is backbone network service providers, possibly working with law enforcement agencies, which might have taken the action to cut service off from botnets and malware distributors.

Less than 24 hours after the outage, many components of the ISP began to operate again. But malware delivery has temporarily dropped off significantly across the Web, and it's likely the Troyak network is at least crippled, the researchers say.

"There are those who say that a takedown like this doesn't do much good because the network can get back into service fairly quickly, but I disagree," says Mary Landesman, head security researcher at ScanSafe. "A shutdown hits criminals where it hurts the most -- in the wallet. Rising costs will become a deterrent to some of this activity."

According to Sean Brady, product manager for the Identity Protection & Verification Group at RSA, Troyak is an upstream provider for several smaller malware-bearing "ISPs."

"Up until midday Tuesday, these networks, some of which are well-known 'bulletproof' hosting services, hosted a great number of malware-hosting servers," according to an RSA report. "[Troyak] connected dozens of malware servers to the Internet, including the Rock Phish gang's JabberZeus drop server, Gozi Trojan servers, as well as many of the Trojan infection and drop servers that RSA regularly monitors."

Landesman suggests the effort to go upstream to stop malware delivery, typically through network service providers, could be a step in the right direction. Microsoft took action to cut activity on the Waledac botnet earlier this month, she notes.

"In addition to adding costs for the criminals, it also increases awareness at the service-provider level," Landesman says. "It's becoming harder for service providers to turn a blind eye to criminal activity that's taking place on their networks."

Brady concurs. "It's analogous to going after organized crime -- you have to go after the money," he says. "Even if it's short-lived, this is a positive development for IT."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.