Zeus Botnet Dealt a Blow As ISPs Troyak, Group 3 Knocked Out 156
itwbennett writes "Ninety of the 249 Zeus command-and-control servers were knocked offline overnight when two ISPs, named Troyak and Group 3, were taken offline. Whoever was behind the takedown 'just decided to knock out a large area of cyber-crime, and this was probably one of the easiest ways to do it,' said Kevin Stevens, a researcher with SecureWorks. As with the McColo takedown of just over a year ago, Troyak's upstream providers seem to have knocked it off the Internet, Cisco said in a statement. 'The ISP was "De-peered,"' Cisco said. 'Troyak's upstream network providers effectively pulled the plug on Troyak's router, refusing to transmit its traffic.'"
Re:Good (Score:4, Interesting)
From the article:
Troyak is based in Kostanay, Kazakhstan, according to whois records.
Taking down the servers is a political matter, not a technical one (in general). But I would imagine that clearly harboring illegal activity would be sufficient motivation for anybody. Imagine if we classified servers like we do countries that support terrorism?
But even if we got all 249, it's like playing whack-a-mole or cutting off the head of a hydra.
Re:The short answer? Money. (Score:4, Interesting)
Meanwhile, the more legitimate ISP's don't want to spend the money to block the command/control servers individually on their networks.
I suspect the "expense" they're afraid to incur would most likely be in the form of legal costs. Give a decent sysadmin any size list of culprits and he'll script a way to block them within a day, max. Fighting lawsuits, OTOH, is quite expensive, bogus or otherwise.
Re:Good (Score:4, Interesting)
Pretty much obliterated Blue Security, I had to google them to figure out what the hell he was talking about. He used a fairly generic term, but the end result is the same.
Re:The short answer? Money. (Score:2, Interesting)
It's true.
At one of my jobs the boss willingly hosts a spammer and gives him a couple subnets, a XEON and a few mbit of traffic and gets thousands from it.
It's pretty annoying because i've been instructed to deal with spamhaus over it all the time and one of these days they're going to call the companies bluff.
Re:Good (Score:4, Interesting)
Well, a bunch of guys (spammers) from specialham decided that BlueFrog was working a bit too well at killing spam so they basically threw everything they had at Blue security while simultaneously launching a massive propaganda and FUD campaign online (where they made all sorts of unsubstantiated claims about Blue Security and the BlueFrog software).
This kind of behaviour from spammers is one of the reasons I wouldn't be the least bit upset if the top 10 spammers in the world were all found one morning with holes in their heads, hopefully it would at least dissuade others (and stop these particular asshats).
Re:Good (Score:4, Interesting)
Well, most legit ISPs regardless of size tend to put a clause in their ToS about their customers not being allowed to do things that disrupt the network, and spamming and DDoS attacks seem like good enough reasons for claiming someone is disrupting the network. Hell, when I worked the abuse desk for an ISP we would warn residential customers after we got the first indication or complaint about them, disconnect them and send them a letter the second time and only reconnect when they contacted us and verified that they had fixed the problem, if there were any further complaints we would often just cut them off completely (sometimes giving them the option to present us with a receipt from a computer store showing that they'd had their computer looked at by someone there before finally cutting them off).
No reason to make this about laws that tell ISPs what they must police in their networks, if the respectable and serious ISPs start taking their own Terms of service seriously and actually act on them even when the customer is another ISP then we'd have a lot fewer problems with botnets and spam.
... in the meantime... (Score:2, Interesting)