The Swiss Security Blog
A week ago, I’ve published the abuse.ch ZeuS Tracker. Now I decided to post some statistical data about the ZeuS hosts.
First of all, let’s take a look at the worst ISPs, which are currently hosting ZeuS Command&Control servers:
| ZeuS host count | AS number | AS name |
| 17 | 44997 | BTG route block |
| 14 | 16265 | LEASEWEB AS |
| 13 | 44097 | Sistemnet Telekomunikasyon |
| 11 | 9800 | CHINA UNICOM |
It’s quit interessting to see AS44997 (BTG12-AS BTG route block) at the top of the worst ISPs. For those of you which are reading my blog frequently: You now that ASN very-well from my previous posts. For all others: AS44997 was formerly known as UATelecom. The ISP is now known as Ural Industrial Company (Ural-NET) and is located in Russia. Different name but the same dirty business as before:
Source: ZeuS Tracker :: AS44997
A part of Ural Industrial Company subnet is also listed on Spamhaus’s Don’t Route Or Peer (DROP) list:
Ref: SBL70438
91.211.64.0/22 is listed on the Spamhaus Block List (SBL)
15-Feb-2009 21:53 GMT | SR04
Cybercrime & spam hosting hub; Ural Industrial Company
Source: Spamhaus SBL70438
Another suspicious ISP is Leasweb, which is located in the Netherlands. When we look at Spamhaus SBL, we see more supicious activities in Leasweb’s Network:
The next ISP is Sistemnet Telekomunikasyon which is located in Turkey. I’ve already seen a lot of phishing sites, C&Cs and dropzones there. Shortly, It’s even worst than Ural-NET. Just take a look onto the SBLs concerning Sistemnet Telekomunikasyon:
Wow, there are currently 50 SBL listings concerning that ISP! So just another dirty ISP…
Now let’s take a look into the top ten ZeuS hosting countries:
| # of ZeuS hosts | country |
| 47 | Russian Federation |
| 41 | United States |
| 23 | China |
| 19 | Netherlands |
| 12 | Ukraine |
| 11 | Turkey |
Just without a comment.
If you want to see the whole statistic you can take a look on it on the ZeuS Tracker statistic page (link).
Improvements made to the ZeuS Tracker
Last but not least I have made some improvements to the ZeuS Tracker:
Country RSS feed available
I’ve received some requests from various CERTs concerning a country RSS Feed for new ZeuS hosts. So I’ve decided to create one. You can find it on the country page (eg. https://zeustracker.abuse.ch/monitor.php?country=HK). On the country page, just click on “Subscribe this country via RSS feed” and you will get informed about new ZeuS hosts in the specified country.
Browse ZeuS binaries
There is now a Browse ZeuS binaries function on the monitor page. With this function you can browse all ZeuS binaries which are stored in the ZeuS Tracker database (link).
Browse ZeuS configs
Additionally there is also a Browse ZeuS configs function on the monitor page. With this function you can browse all ZeuS configs which are stored in the ZeuS Tracker database (link).
Have fun!
The webserver which is hosting abuse.ch and ZeuS Tracker is currently under high system load due to a ongoing DDoS attack against the blog (abuse.ch). The DDoS has started yesterday 02:00 pm (UTC):
The origin seems to be the same as last time (see previous post “DDoS Angriff & Joe Job gegen abuse.ch (german)”). Fact is, that the bots are using the same user agents as during the attack last year:
If we google the user agent above we will find some interesting information about the origin of the DDoS attack:
Source: MWBlog: “Illusion – Now you see me, now you don’t”
Currently it seems that the DDoS mitigation was successfull so that abuse.ch is now up and running again (but unfortunately with a high response time because the DDoS attack still goes on). Let’s see what happens in the next few hour/days.
Stay tuned.
