The webserver which is hosting abuse.ch and ZeuS Tracker is currently under high system load due to a ongoing DDoS attack against the blog (abuse.ch). The DDoS has started yesterday 02:00 pm (UTC):
The origin seems to be the same as last time (see previous post “DDoS Angriff & Joe Job gegen abuse.ch (german)”). Fact is, that the bots are using the same user agents as during the attack last year:
FAST-WebCrawler/3.8 (atw-crawler at fast dot no; http://i.love.teh.cock/support/crawler.asp)
Mozilla/5.0 (Slurp/cat; email@example.com; http://www.supercocklol.com/slurp.html
Mozilla/4.0 compatible ZyBorg/1.0 (firstname.lastname@example.org; http://www.lolyousuck.com)
If we google the user agent above we will find some interesting information about the origin of the DDoS attack:
“Letâ€™s take a look at yet another bot originating from the Mother Russia. Itâ€™s called Illusion, and it has a nice and clear GUI tool for configuration that even an idiot (you could argue that only idiots use malware anyway) can use.”
Source: MWBlog: “Illusion – Now you see me, now you donâ€™t”
Currently it seems that the DDoS mitigation was successfull so that abuse.ch is now up and running again (but unfortunately with a high response time because the DDoS attack still goes on). Let’s see what happens in the next few hour/days.
After the drone.abuse.ch FastFlux Tracker (link) and the httpBL.abuse.ch Web abuse Tracker (link) I’m proud to announce another Tracking system. Introducing:
abuse.ch ZeuS Tracker BETA
I will just give you a short overview here about the function and the idea behind the abuse.ch ZeuS Tracker.
What is ZeuS?
For those which are reading my blog frequently you will know this trojan from my previous posts. For all others: ZeuS is a crimeware kit, which steals credentials for various online services like social networks, online banking accounts, ftp accounts, email accounts and other. The trojan is also known as Zbot and WSNPoem.
How to get infected?
The ZeuS trojan spears on email as well via Drive-By infections (using toolkits like LuckySploit, El fiesta and so on).
What is the abuse.ch ZeuS Tracker?
The abuse.ch ZeuS Tracker provides you the possiblity to track ZeuS Command & Control servers (C&C). The tracker captures and track the ZeuS hosts aswell as the associated config files, binaries and dropezones. The main focus is to provide system administrators the possiblity to block well-known ZeuS hosts and avoid ZeuS infections in their networks. Therefore you can download a ZeuS domain blocklist and a ZeuS IP blocklist. Additionally the ZeuS Tracker should help CERTs and ISPs to track malicious ZeuS hosts in their networks / countries.
Where can I find the ZeuS Tracker
You can find the ZeuS Tracker on https://zeustracker.abuse.ch (It’s on https, not http).
What is the ZeuS blocklist?
The ZeuS blocklist lists all ZeuS hosts which are currently beeing tracket on the ZeuS tracker. The blocklist is available on the ZeuS Tracker webpage. Additionally, the domains are included in the Malware Domain List (MDL).
- The ZeuS Tracker is currently in BETA. So if you have any problems or further ideas please let me know (contact).
- Don’t be affright, there are currently over 200 ZeuS hosts which are beeing tracked by the ZeuS Tracker.
- You can submit new ZeuS hosts to the ZeuS Tracker using the submit form.
- A RSS feed for the ZeuS Tracker is available (Subscribe to ZeuS Tracker RSS feed).