TROYAK-AS: the cybercrime-friendly ISP that just won't go away

TROYAK-AS: the cybercrime-friendly ISP that just won't go away

Summary: Over the past week, security researchers and vendors have been playing a cat-and-mouse game with a cybercrime-friendly ISP known as TROYAK-AS, one of the key "phone back" locations for the command and control servers of Zeus-serving malware campaigns for Q1, 2010.

TOPICS: Browser, Security, Telcos

Over the past week, security researchers and vendors have been playing a cat-and-mouse game with a cybercrime-friendly ISP known as TROYAK-AS, one of the key "phone back" locations for the command and control servers for the Zeus crimeware serving campaigns for Q1, 2010.

The results so far? A series of attempts by the cybercriminals to restore access to their botnet, and an invaluable learning experience for the community, with the gang exposing node after node of malicious activity.

Why is TROYAK-AS's take down so important at the bottom line?

Disrupting the ISPs activities doesn't mean that the remaining and currently active Zeus campaigns would be somehow disrupted. This common misunderstanding stems from the Zeus crimeware wrongly perceived as a botnet similar to, for instance, the Conficker botnet. In comparison, Zeus is a DIY crimeware -- also available as a managed crimeware service since 2008, perhaps even earlier -- with an unknown of cybercriminals operating their own Zeus botnets.

Taking it down means undermining the effectiveness of a huge percentage of their campaigns launched during the first quarter of the year. Not only does this mean disruption of their operations, but most importantly, loss of confidence on behalf of their customers in TROYAK-AS's ability to stay online.

Ironically, a representative from TROYAK-AS's, your typical cybercrime-friendly virtual neighborhood, is doing his best to retain their underground reputation, by attributing the shut down to the fact that they forgot to pay their upstream provider. Moreover, Roman Starchenko's comments -- fake name that's for sure -- demonstrate the harsh reality in respect to fighting cybercrime internationally, in particular the lack of cooperative efforts into going after the people, not the networks:

  • "I know, some of [the] clients of our service might be used for something you called 'botnet'. Anyway, we did not receive any letter from any officials of our country, so will not perform any actions as our law said."

As of Wednesday, March 10th, 2010, TROYAK-AS made multiple attempts to find an upstream provider, temporarily relying on the following ones:

  • AS44051 - YA-AS Professional Communication Systems
  • AS8342 - RTCOMM-AS RTComm.RU Autonomous System
  • AS25189 - NLINE-AS JSC Nline
  • AS12993 - DEAC-AS

Today, TROYAK-AS is "de-peered" again. However, contingency planning is clearly part of the provider's quality assurance process, especially in times when the days of the "sitting duck" cybercrime-friendly ISPs are nearly over.

What are TROYAK-AS's customers up to?

Clearly, some of them have lost confidence in TROYAK-AS's ability to remain online, and on Friday, March 12th, 2010, resumes their malicious operations by launching another campaign - "Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild". In reality, their customers have a pretty diverse choice of providers offering services similar to those of TROYAK-AS, with cybercriminals offering a mix of legitimate and purely malicious infrastructure for anything cybercrime related.

TROYAK-AS remains "de-peered". It's only a matter of time before they find another upstream provider. The ISP remains the tip of the iceberg, with Russia, followed by China and the U.S listed as the top Zeus malware hosting countries.

What the cybercriminals are forgetting, is the fact that every time they attempt to obtain access to the botnets, they sacrifice their OPSEC (operational security). Sooner or later, the analysis of their activities would move beyond the WHOIS records, and start profiling them on first name basis.

UPDATE, Wesnesday, March 17, 2010: Today, the folks at RSA FraudAction Research Lab posted an update "AS-Troyak Exposes a Large Cybercrime Infrastructure", offering an insight into the infrastructure that the cybercriminals exposed on their way to put AS-TROYAK back online.

What do you think? Are such take downs relevant in the long-term, or is the "learning experience" gained worth the efforts? Does it really matter if a particular botnet gets shut down, given the fact that the botnet masters remain at large, and would basically aggregate a new one?


Topics: Browser, Security, Telcos

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It does seem to matter.

    For some reason, some botnet herders are still using centralized C&C instead of P2P, so finding and shutting down these C&C points matters.. I doubt this will continue for
    much longer, though.
    • Even with a p2p command&control model

      You still have to have at least ONE or two static IP addresses or websites for these things to connect to in order to get the list of addresses or send the list of addresses they are on!

      So.... p2p C&C wouldn't work, in and of itself.

      As a blended model with other things? Yeah, it would work well.
      • DHT does it in BitTorrent clients without any static, hardcoded IPs.

        [b] [/b]
  • RE: TROYAK-AS: the cybercrime-friendly ISP that just won't go away

    Takedowns are important, even with limited effect.
  • Increase cost of business

    ...and the people responsible for creating these botnets
    would start suffering from reduced profits as they
    continue to make attempts to come back online. Eventually
    the costs involved with trying to constantly restore
    services as well as a loss of clients due to all the down
    time would force the ISP to close. So I say, keep up the
    work trying to shut them down.
  • RE: TROYAK-AS: the cybercrime-friendly ISP that just won't go away

    Well done! Thank you very much for professional templates and community edition
    <a href="">sesli sohbet</a> <a href="">sesli chat</a>