Wednesday, March 10, 2010

With ISP offline, criminal malware infections drop dramatically

On Wednesday, RSA alerted its customers to a substantial decrease within the last twenty four hours in Trojan horse activity on the Internet as the result of a key Internet host going offline. Criminal enterprises use such hosts as a common point of contact. On the front end, it is the Internet address that thousands of infected computers worldwide point to in order to download the latest version of malware. On the back end, the bad guys connect through such a common network to mask their true locations. Removing the network breaks the connection between the infected PC and the criminal enterprise. Additionally, Cisco reports that there was a flood of last minute malware activity prior to the shut down which could have been the criminals seeking to change IP addresses.

The facility, known as AS Troyak (Russian slang for “Trojan”) is believed to be the source of several major strains of Trojans currently active on the Internet. AS Troyak is home to Rock Phish gang’s JabberZeus drop server, Gozi Trojan servers, among other lesser known Trojans. Zeus is a new class of banking Trojan that uses stealth in ACH transfers to defraud its victims.

A dramatic example of the impact of the loss of AS Troyak can be found on the site Zeus Tracker (this site uses a generic certificate so your browser may need to add site as an exception), which reported a substantial drop in Zeus infections on Tuesday evening.

Source: Zeus Tracker

Source: Zeus Tracker

In the past bullet-proof hosting facilities have used AS Troyak. Bullet-proof hosting means the owners are likely to be involved in some criminal activity themselves and thus ignore requests by law enforcement to shut down any illegal activity on the server. That isn’t to say all of AS Troyak’s clients are engaged in illegal activity, only that those that are likely to find safe haven with these facilities.


According to RSA the range of IP addresses affected by the AS Troyak shutdown include:

The exact cause of AS Troyak’s demise is not known, nor does the team at RSA think it is likely to be long-lived. The server could, for instance, be moving to a new physical location, or the shutdown could be the result of a technical failure. Or the party operating it may have decided not to continue with the service. It is also possible, though unlikely, that a coordinated effort by law enforcement and/or the security community may have shuttered AS Troyak.

“While the excitement is likely to be rather short-lived,” said Sean Brady, product marketing manager for RSA’s IPV Team, “seeing a wholesale throttling of a significant volume of online fraudulent activity provides a valuable glimpse at how to perform large-scale crime prevention efforts. It’s akin to the traditional methods of taking on organized crime – if you can go after the money, or in this case, the infrastructure, you can do more damage to the organization’s activity than going after individuals or individual resources.”