Last week, on March 9th, upstream providers de-peered Troyak-AS, a significant service provider for Zeus c&c servers. Since then, Troyak-AS has bounced to multiple other upstream providers, each subsequently choosing to de-peer the account shortly thereafter. With zero traffic on the 13th and 14th, it appeared the continued takedown efforts had finally met with permanent success. On the 15th, however, our ongoing traffic analysis indicated that Troyak-AS was once again servicing Zeus traffic. Investigation revealed the latest upstream providers are:

AS31366
smallshop-as

and

AS12604
citygame-as

Both upstream providers are registered to Vladimir Vasulyovich in Moscow. In an interesting and disturbing twist, Citygame-AS has also previously been implicated as a service provider for other Zeus c&c servers.

Throughout 2009, Zeus malware traffic comprised 1% of ScanSafe Web malware blocks. This trend continued to 2010, up until March 7th when Zeus traffic suddenly spiked to 12% of all Web malware. Deeper analysis revealed the largest percent of that traffic spike was a result of Troyak-serviced Zeus traffic. The timing of the spike (two days prior to the first takedown) and the unprecedented volume increase suggest the Zeus bot herders may have had forewarning of the impending takedown. If so, this would have given the attackers opportunity to redirect their bots to other command and control locations.

Whether existing bots were or were not redirected may be a moot point. Now that Troyak-AS has partnered with Citygame-AS for upstream service - and both providers have been implicated in servicing known Zeus c&c servers, will the takedowns continue? Or has Troyak indeed found bulletproof hosts willing to turn a blind eye to the supply chain of data theft trojans that are the hallmark of Zeus?