RSA Reveals Zeus Trojan Cyber-Crime Infrastructure

Security researchers at RSA spotlight the cyber-infrastructure that props up malware like the Zeus Trojan by providing so-called bulletproof hosting to attackers

Researchers in EMC’s RSA security division have uncovered an extensive infrastructure propping up the attackers behind the Zeus Trojan.

The findings reflect part of the reason the disruption of Troyak-AS on 9 March only caused Zeus traffic to slow, as opposed to stopping it in its tracks. Troyak is just one part of a larger cyber-crime infrastructure helping to provide “bulletproof” hosting to attackers.

“In light of our findings, AS-Troyak appears to be a piece in an intricate puzzle of networks that are used for malicious purposes,” RSA said yesterday. “We suspect that the purpose of these networks is to connect an armada of eight malicious, bulletproof malware-hosting facilities to the internet, assuring their constant online presence.”

According to RSA, Troyak is one of five upstream providers that surround the eight networks. The other four upstream providers are Taba, Smallshop, Profitlan and Ya. Besides Zeus, the eight networks host other forms of malware, as well as servers for the Gozi Trojan and drop servers for the RockPhish gang.

“The connectivity status of the networks that relied on AS-Troyak is unstable, with servers going back online, then off again, as they try to reconnect via several peering options,” RSA reported. Troyak meanwhile has sought to redirect its web traffic through other upstream providers. As of 16 March, however, most of the malware servers that used Troyak were functional and using both Troyak and other connections within the cyber-crime ecosystem RSA analysed.

“The way these malicious networks attain bulletproof connectivity is through the intricacy of their connection schemes,” RSA explained. “The bulletproof network that harbours the malware itself connects to a legitimate ISP [internet service provider] via ‘Upstream Providers’ (transit autonomous systems), which mask its true location. No actual malware is present on the ‘masking’ networks.

“The particular cyber-crime infrastructure we analysed uses five upstream providers to hide its connections to the internet.”

RSA stressed: “Each upstream provider is able to connect to multiple legitimate ISPs; those remain unaware of the malware-hosting servers that indirectly exploit their services.”

Sean Brady, manager of the Identity Protection and Verification Group at RSA, told eWEEK that it is atypical for organised crime to reach this level of extensive operating infrastructure because of the difficulty involved in a criminal operation building itself up to this scale.

“What has become typical, though, are fraudsters, not necessarily even directly affiliated with the organised crime groups, [who] recognise the value of the services provided and pay money to use the infrastructure for their own fraudulent purposes,” Brady said. “It is analogous to legitimate internet usage—there are not that many large-scale ISPs in the world given their cost of infrastructure, but there are millions of people willing to pay the ISPs to use their services.”