Zeus botnet shaken by ISP cutoffs

The world's largest botnet Zeus has had its traffic disrupted by repeated disconnections of a Kazakhstani ISP, but a series of reconnections has revived its banking Trojan activity, according to security researchers.

The botnet mainly pushes out the Zeus banking Trojan, an information-stealing keylogger which relays sensitive data back to its controllers. The Kazakhstani ISP, AS Troyak, provides network connectivity to six other ISPs that host Zeus botnet command-and-control servers. On Wednesday, the upstream connectivity to AS Troyak was cut by unidentified agents.

This disconnection resulted in the shutdown of 25 percent of the Zeus botnet, said security company ScanSafe, which is part of Cisco.

"Cisco is pleased to see that this network has been crippled," said the company in a Wednesday statement. "Even though the thousands of victims of these gangs are still infected with Zeus, the malware running on their PCs is unable to communicate with its controller and no new data can be stolen from them."

Active Zeus domains dropped from 249 on Monday to 149 on Wednesday, according to the Zeus Tracker site, a Swiss security research site. However, on Thursday, the number of active domains bounced back again to 194.

Mikko Hypponen, director of antivirus research for security company F-Secure, said that AS Troyak had been disconnected and reconnected several times on Thursday. "Troyak's upstream provider has changed several times today," he said, calling the actions "very unusual."

Hypponen provided more detail on the Wednesday disconnections, noting that two upstream ISPs had stopped routing traffic to AS Troyak, probably due to a local law enforcement legal order.