Zeus Botnet Down But Not Out 67
Posted
by
timothy
from the like-the-energizer-bunny-in-more-ways-than-one dept.
from the like-the-energizer-bunny-in-more-ways-than-one dept.
harryjohnston writes "The Register points out that the takedown of a significant number of Zeus command-and-control servers, which we discussed earlier, was a short-lived victory, as about one-third of the affected servers were back on the net in less than 48 hours." Adds itwbennet: "Just hours after network connectivity to Troyak was severed the ISP peered with a new upstream Internet service provider named Ya. The next step will be to 'de-peer' Troyak from its new service provider, either an ISP named Nassist or its upstream provider, Hurricane Electric, said a researcher familiar with the matter. 'We have taken some of their territory, they are trying to out flank us,' the researcher said via IM. 'We are going to win this one — we have 'em boxed in.'"
Re:Well I'm sold. (Score:5, Interesting)
Can I host my e-commerce site on Zeus?
I'm not sure if this is funny or dreadfully insightful... Most data centers can't keep it up for a single year but then you have schmucks who keep these bot-nets up seemingly forever.
Are we looking at the future of serious web-hosting?
Re:Well I'm sold. (Score:5, Interesting)
Re:Botnets (Score:4, Interesting)
Nothing special to it. It's just like a standard virus infection. Take the Blaster worm, for example. You can normally just look at router lights and see if someone's infected (well, unless there's a person constantly streaming music.) The point is that these zombies are up all day getting and receiving data, like a webhost. The data is either addresses to be newly infected, or new command data containing the payloads with the actual spam to be sent out.
If you turn off all the P2P apps, let the PC boot up to a desktop and the network light for that PC immediately goes non-stop for more than 15 minutes, you're infected. No buts.
Re:Well I'm sold. (Score:4, Interesting)
It's called "bulletproof hosting". You pay in E-gold. Preferably from an account with a fake name.
But yes, they can keep your site up even against determined government-based opposition. They have private command server and random host virtual desktops. You can buy botnets by the host or rent them by the hosthour. DOS hosts are ready for your competitor throttling needs, and bulk discounts scale appropriately. Please be advised that certain challenging chores like DDoS of national infrastructure servers require open finance accounts and sufficient credit must be made available before the attack starts.
Almost without exception, the hosts themselves run Windows.
Re:Well I'm sold. (Score:4, Interesting)
Embrace and extend, am I getting it right?
Yeah... think of a future EULA where you give a corporation or even some random freeware coder permission to use your computer while it's at idle and in exchange they give you a discount on your next purchase of $50 or more from their eStore or some other such idiocracy...
It sounds horribly doable so why pay to host the cloud when you can force your users to pay you for the privilege to do so?
And how would one police such a thing where everything is encrypted and special commands can be sent to a limited numbers of clients in very specific locals with no one being able to tell? I can thing of some serious evil that could be done where the end user would take the fall for cybercrime because no one at corporation X would ever abuse it's users.
Microsoft can't get everyone to pay for windows? no problem they release Windows 8 - Free bot-net Edition.. We are almost there now with the whole phone home every day to verify your copy WGA crap.
New DRM for your Game? Sure overwrite your game's executable every hour or change your encryption keys. Something not right on a hosts computer? Well the EULA clearly states you can nuke their OS. I mean it was on the box remember?
Heck, remember when Netzero was free because of the ad banner? This is far more evil and far more useful. Wanna play the new US Army 3D shooter game? Sure no problem, join the botnet today! It's free and we promise not to use your computer to DDoS Canada because they still don't have good enough copyright laws....
Or
What about a new closed source encrypted bit-torrent protocol where the user agrees to host part of the pirate bay database or track random torrents? You wanna download warez or music kid? Alright, but you gotta join our botnet first. Together we are strong right? I mean you're only 15 kid.... no one will arrest you for hosting kiddy porn or the latest best-of metallica holodisk.. I mean it's your evil parents who pay for the internet anyhow kid so forget-about-it....
Wow... I think I just totally lost what little mind I have left for a moment, sorry... now back to your normal slashdot flamewar already in progress...
Re:Kinda, yeah (Score:1, Interesting)
I was worried about that too, since I've had hosting with HE, so I took a look at the routing history for Troyak's IPs.
Looks like any time Troyak spent transiting HE was limited to a couple hours. BGPlay shows AS50215's (Troyak) prefixes transited Nassist starting on the 10th. Shortly afterwards it looks like HE (6939) dropped those prefixes from Nassist, saw them from another peer, and then only saw them from Global Crossing (3549) (one of HE's transits). A little after that Nassist dropped the Troyak peering as well. Troyak's since had service with RTComm, and looks to be getting nuked from them too. From here it looks an HE customer turned up a customer, found they were a bad apple and threw it back.
Stick 91.201.28.0/22 into BGPlay for an entertaining view of BGP routing and people cutting heads off a hydra.