RSA Reveals Zeus Trojan Cyber-Crime Infrastructure

Researchers in EMC’s RSA security division have uncovered an extensive infrastructure propping up the attackers behind the Zeus Trojan.

The findings reflect part of the reason the disruption of Troyak-AS on 9 March only caused Zeus traffic to slow, as opposed to stopping it in its tracks. Troyak is just one part of a larger cyber-crime infrastructure helping to provide “bulletproof” hosting to attackers.

“In light of our findings, AS-Troyak appears to be a piece in an intricate puzzle of networks that are used for malicious purposes,” RSA said yesterday. “We suspect that the purpose of these networks is to connect an armada of eight malicious, bulletproof malware-hosting facilities to the internet, assuring their constant online presence.”

According to RSA, Troyak is one of five upstream providers that surround the eight networks. The other four upstream providers are Taba, Smallshop, Profitlan and Ya. Besides Zeus, the eight networks host other forms of malware, as well as servers for the Gozi Trojan and drop servers for the RockPhish gang.

“The connectivity status of the networks that relied on AS-Troyak is unstable, with servers going back online, then off again, as they try to reconnect via several peering options,” RSA reported. Troyak meanwhile has sought to redirect its web traffic through other upstream providers. As of 16 March, however, most of the malware servers that used Troyak were functional and using both Troyak and other connections within the cyber-crime ecosystem RSA analysed.

“The way these malicious networks attain bulletproof connectivity is through the intricacy of their connection schemes,” RSA explained. “The bulletproof network that harbours the malware itself connects to a legitimate ISP [internet service provider] via ‘Upstream Providers’ (transit autonomous systems), which mask its true location. No actual malware is present on the ‘masking’ networks.

“The particular cyber-crime infrastructure we analysed uses five upstream providers to hide its connections to the internet.”

RSA stressed: “Each upstream provider is able to connect to multiple legitimate ISPs; those remain unaware of the malware-hosting servers that indirectly exploit their services.”

Sean Brady, manager of the Identity Protection and Verification Group at RSA, told eWEEK that it is atypical for organised crime to reach this level of extensive operating infrastructure because of the difficulty involved in a criminal operation building itself up to this scale.

“What has become typical, though, are fraudsters, not necessarily even directly affiliated with the organised crime groups, [who] recognise the value of the services provided and pay money to use the infrastructure for their own fraudulent purposes,” Brady said. “It is analogous to legitimate internet usage—there are not that many large-scale ISPs in the world given their cost of infrastructure, but there are millions of people willing to pay the ISPs to use their services.”

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago