Last week, RSA and other security professionals noticed a sudden halt in the activity of an upstream Internet connectivity provider named “AS-Troyak”, thus causing several major malware-hosting networks to disconnect from the Internet. Further investigation proved that AS-Troyak is merely one part of a larger cybercrime infrastructure providing “bulletproof” hosting to malicious content perpetrators.
The RSA Anti-Fraud Command Center (AFCC) and RSA FraudAction Research Labs have been investigating the activity of several malicious bulletproof hosting services for quite some time. As it turns out, these services are related and connect to the Internet through five different upstream providers. We have also analyzed these networks’ peering information through RIPE1, and cross-referenced the data with malware attacks we detect in the wild; this enabled us to draw conclusions as to what we believe is a multi-network cybercrime infrastructure.
In light of our findings, AS-Troyak appears to be a piece in an intricate puzzle of networks that are used for malicious purposes. We suspect that the purpose of these networks is to connect an armada of 8 malicious bulletproof, malware-hosting facilities to the Internet, assuring their constant online presence.
Current Status – Still Unstable
The connectivity status of the networks that relied on AS-Troyak is unstable with servers going back online then off again as they try to re-connect via several peering options. Troyak itself has been attempting to redirect its web traffic through alternate upstream providers. As of March 17, most of the malware servers/networks that used AS-Troyak are offline yet again, but the situation is extremely unstable. We expect this unstable connectivity phase to persist for some time.
How Do Such Malicious Networks Maintain Bulletproof Connectivity?
The way these malicious networks attain bulletproof connectivity is through the intricacy of their connection schemes. The bulletproof network that harbors the malware itself connects to a legitimate ISP via “Upstream Providers” (transit Autonomous Systems) which mask its true location. No actual malware is present on the “masking” networks. The particular cybercrime infrastructure we analyzed uses 5 upstream providers to hide its connections to the Internet.
Each upstream provider is able to connect to multiple legitimate ISPs; those remain unaware of the malware-hosting servers that indirectly exploit their services.
These ISPs are legitimate service providers which are used as a channel for delivering malicious content. We suspect that Troyak’s shut down last week might have been the result of orchestrated traffic denials by some of these ISPs.
The upstream providers also form a closed-circuit connection in order to keep their online presence solidly active. Through a scheme that allows the bulletproof networks to alternate between connections, their ability to continuously serve malware is assured. This specific scheme is also dubbed a “Mesh Topology”.
Bulletproof Network where malware is actually hosted, shown in the dark red cloud with the Trojan horse’s icon;
Upstream Providers are orange-colored clouds;
Legitimate ISPs are shown as green clouds.
AS-Troyak – Merely One Part of a Larger Cybercrime Infrastructure
The cybercrime infrastructure we analyzed consists of 8 bulletproof networks, 5 upstream providers and connects to 9 legitimate ISPs through which this “Trojan farm” accesses the Internet. According to these networks’ “WHO IS” records, (all of which contain fake details), they are located in Kazakhstan, The Ukraine, Russia and Moldova.
A Detailed Roster of This Cybercrime Infrastructure:
At its core, eight (8) bulletproof networks host a wealth of malware with Zeus Trojans being the most prominent malware. RockPhish JabberZeus drop servers and Gozi Trojan servers are also hosted on these networks.
Bulletproof Networks’ Names:
Five(5) upstream providers surround the malicious core; these networks are used as auxiliary networks (transit-type Autonomous Systems); they mask the true malware-hosting armada and provide solid uptime to the malware servers.
Upstream Providers Names:
Nine legitimate ISPs connect the upstream providers to the Internet. These ISPs’ peering data shows that they accept traffic (or had accepted it at some stage) from the 5 upstream providers. It is important to note that these 9 ISPs are legitimate companies which are merely used as a channel to the Internet. As stated above, Troyak’s temporary shut down might have been the result of counter-actions recently taken by some of these ISPs.
Legitimate ISP Names:
See the diagram below for a visual outlook of the infrastructure we analyzed. At the time AS-Troyak was offline five (5) ISPs simultaneously denied it service. We inferred this structure after having analyzed malware attacks and peering data of its associate networks.
Bulletproof Network where malware is actually hosted are marked in red with the Trojan horse’s icon sign;
Upstream Providers are orange-colored spheres;
Legitimate ISPs are shown in green spheres.
Red arrows connect bulletproof networks to upstream providers;
Light yellow arrows connect upstream providers to one another;
Dark orange arrows connect upstream providers to legitimate ISPs.
RSA checked the credentials of the bulletproof networks and upstream providers: all present bogus contact details on their public “WHO IS” records. Very few host an “Under Construction” page; others do not host any information at all, indicating they do not intend to be traced or contacted.
Figure 3: Example of Smallshop’s domain page, one of the upstream providers
We also searched publicly available peering records of the aforementioned transit networks (available through the regional registry’s website, in this case, the RIPE). For example, the “WHO IS” record belonging to YA (AS44051) – another upstream provider – shows that it peers with AS-TROYAK (AS50215), both part of the same cybercrime infrastructure described above.
A snippet from YA’s “WHO IS” record Confirming the Connection to “TROYAK” AS50215:
remarks: ---------------- Begin of PR-C3-MT -------------------
import: from AS47821 action pref=100; accept ANY
export: ; to AS47821 announce AS-PROCS-CLIENTS
remarks: ---------------- End of PR-C3-MT -------------------
remarks: ---------------- Begin of PR-C4-MT -------------------
import: from AS50215 action pref=100; accept AS-TROYAK
export: to AS50215 announce ANY
remarks: —————- End of PR-C3-MT ——————-.
It is important to understand that although part of this infrastructure may lose connectivity, these bulletproof networks are still able to resume online activity through other upstream providers they have access to; most are back online having accessed alternate connections within that same cybercrime infrastructure. This redundancy mechanism is at the core of keeping malicious servers up and running over time, as observed through the past week’s events.
Figure 4: ISPs Denying Service to One Upstream Provider As Connection Is Restored through Other Networks.
1The RIPE NCC is one of five Regional Internet Registries (RIRs) providing Internet resource allocations (such as IP addresses), registration services and co-ordination activities that support the operation of the Internet globally.