Posted in Uncategorized

AS50215 Troyak-as Taken Offline, Zeus C&Cs Drop from 249 to 181

   March 10, 2010  Leave a Comment on AS50215 Troyak-as Taken Offline, Zeus C&Cs Drop from 249 to 181

2nd update for Friday, March, 12, 2010 – Troyak-AS is down again – “This AS is not currently used to announce prefixes in the global routing table, nor is it used as a visible transit AS.

UPDATED: Friday, March, 12, 2010 – Troyak-AS peering courtesy of AS25189 – NLINE-AS JSC Nline. Since the entire Troyak-as takedown campaign is turning into an infinite loop, it’s time for a “terminating condition”.

2nd update for Thursday, March 11, 2010: Troyak-AS is back from the dead. Upstream courtesy of AS8342 – RTCOMM-AS RTComm.RU Autonomous System. The good news? Troyak’s Zeus C&Cs are still offline.

UPDATED: Thursday, March 11, 2010 – TROYAK-AS Starchenko Roman Fedorovich is dead again – “This AS is not currently used to announce prefixes in the global routing table, nor is it used as a visible transit AS.

UPDATED: Troyak-as is now AS44051 YA-AS Professional Communication Systems.

AS50215 Troyak-as, the cybercrime-friendly virtual neighborhood that was a key component in the hosting infrastructure for all of the Zeus-crimeware serving campaigns during Q1 of 2010, has been taken offline, resulting in a pretty evident drop in Zeus C&Cs, according to this graph courtesy of the ZeusTracker.

AS50215 Troyak-as (ctlan.net; prombd.net) was of course the tip of the iceberg, directly or indirectly interacting with the following ASs:

  • AS31366 – smallshop-as Stebluk Vladimir Vladimirovich 
  • AS44107 – PROMBUDDETAL-AS Prombuddetal LLC 
  • AS50369 – VISHCLUB-as Kanyovskiy Andriy 
  • AS49934 – VVPN-AS PE Voronov Evgen Sergiyovich 
  • AS47560 – VESTEH-NET-as Vesteh LLC

Don’t pop the corks just yet, their customers, in particular their money mule recruitment customers are already migrating to the competition.

From a cybercriminal’s perspective, such minor operational glitches don’t undermine the business model. Sadly, it’s more cost-effective to build a new botnet, compared to trying to gain access to the old one. What truly undermines their business model is their inability to utilize the monetization vector.

AS50215 TROYAK-AS Starchenko Roman Fedorovich activity during Q1, 2010:
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
Keeping Money Mule Recruiters on a Short Leash – Part Two

This post has been reproduced from Dancho Danchev’s blog. Follow him on Twitter.

Post Views: 30
Author: Dancho Danchev

Leave a Reply

Your email address will not be published. Required fields are marked *