Security researcher Brian Krebs reports that Roman Hüssy's two sites - ZeusTracker and SpyEyeTracker - are having some success in assisting ISPs and companies to block infected machines from communicating with the Command & Control servers that control the botnet swarms.
Hüssy's sites, says the former Washington Post reporter, have been hit with countless distributed denial-of-service (DDoS) attacks from botmasters, apparently retaliating for having their network infrastructure listed by these services.
"At one point, someone wrote a fake suicide in Hüssy's name and distributed it to his family and friends, prompting local police to rouse him from slumber to investigate his well-being. But, those attacks haven't deterred Hüssy or sidelined his services", he notes.
And now, says Krebs, the attackers are beginning to consider stealthier and more diabolical ways to strike back.
"A series of discussions on an uber-exclusive Russian language forum that caters to identity and credit card thieves reveal that botmasters are becoming impatient in their search for a solution that puts Hüssy and/or his tracking services out of commission once and for all", he said in his latest security blog.
Krebs says that he caught up with Hüssy via instant message earlier this week and asked whether he'd seen any SpyEye or ZeuS configuration files seeded with legitimate sites. "He just laughed."
"ZeusTracker checks if a command and control server is really up before adding it to the blocklist," he told the security researcher. "These guys have no clue how ZeusTracker works."
Krebs quotes one potentially cybercriminal poster on the Russian security forum as "wryly noting that having ZeusTracker and SpyEyeTracker around isn't all bad, because it tends to do a good job of killing off botnets run by novice hackers who don't know to watch out for the services."