Category Archives: ZeuS Tracker

ZeuS: Cybercriminals moving over to FastFlux Hosting

A month ago, the well-known bulletproof hoster Troyak was cut from the internet (read more). Troyak tried hard to get reconnected to the internet – But the disconnect of Troyak made a lot of noise in the international press which led to that Troyak was not able to stay connected with the World Wide Web.

But maybe you wonder why the number of active ZeuS C&Cs still dropped after the Troyak shutdown. Let me clear this: After the shutdown of troyak, several other ISPs which went a platform for cybercriminals for month got obviously under massiv pressure from their upstream providers. Many of those ISPs contacted me during the last few weeks and made a clear statement that they no longer tolerate any cybercriminals in their networks.

The good news first:
Today, a month after the Troyak shutdown, the number of active C&C servers is still on a very low level. We are now at a point where ZeuS C&C servers get offline just a few minutes after they appears on the ZeuS Tracker.

And now the bad news:
During the last few days I just noticed that more and more ZeuS C&C servers popping up which are hosted on a FastFlux botnet. To be precise: It’s not new that cybercriminals are hosting the infections binaries (used to infect their vicitims) on FastFlux botnets. Even more it’s pretty new to me that the cybercrmininals are hosting their Command&Control servers (the servers which are hosting the dropzone) are also FastFlux hosted. For example:

To go along with this ‘new’ trend I decided to add a new ‘level’ to the ZeuS Tracker:

Level: 5
Description: Hosted on a FastFlux botnet
Color: Blue

Whenever you see a ZeuS C&C server which is FastFlux hosted on the ZT, the ZeuS Tracker will now provide you additional information:

As you can see above, the ZeuS Tracker shows up the assigned bots (IP addresses) as well as their status on Spamhaus’s XBL. Additionally the time to live (TTL) of the A record will be displayed (on FastFlux hosted domains mostly between 180 and 1800 seconds).

To get a list of ZeuS domains which are currenlty hosted on a FastFlux botnet you can just set a filter for “level 5” tagged domains on the ZeuS Tracker:

Currently there are just 9 domains hosted on a FastFlux botnet. But let’s see how many ZeuS C&Cs will move over to FastFlux hosting during the next few month.

And another Bulletproof Hoster goes Offline…

A friend over MDL just informed me today that another bulletproof hoster called GR-VERTICAL-AS Group Vertical Ltd (AS49365) has gone offline this night. Back in october 2009 I wrote a blog post about this ISP (see Source of badness: Group Vertical Ltd (AS49365)) and described how bad this ISP is. A few days later, Groupe Vertical has been disconnected from the internet. Unfortunately, the bad guys just managed to get online again.

Now it seems that this night their upstream provider VLineTelecom LLC Moscow (AS39150) just cut their peering with Group Vertical:

GR-VERTICAL-AS Group Vertical Ltd
NOT Announced

This AS is not currently used to announce prefixes in the global routing table, nor is it used as a visible transit AS.

Prefixes added and withdrawn by this origin AS in the past 7 days.
– Withdrawn

As of yesterday, this ISP has hosted 20 ZeuS C&C servers in their subnet:

Due to the fact that Group Vertical is offline again, the number of active ZeuS C&C server will just drop again today! But there is even more work left to do:

Let’s see how long these ISPs will stay online….