Tag Archives: AS29106

The Bozvanovna ZeuS Botnet

This week I’ve taken the opportunity to take a closer look at the current ZeuS campaigns. A few of them keep popping up again and again, so I’ve tried to get some more information about those botnets, their targets as well as the infrastructure that the cybercriminals are using.

In this first blog post I will talk about a ZeuS botnet which I call the “Bozvanovna Botnet”, which is being spread using drive-by exploits (hopefully I will find the time to blog about the other botnets that I’ve found too…).

First of all, let’s take a look at the botnet Command&Control infrastructure: The cybercriminals have registered a pretty big amount of domains to serve ZeuS configs and binaries as well as to provide a dropzone for the infected clients (bots) to upload the stolen information. The reason for this is pretty simple: In most cases the domains that get listed on ZeuS Tracker will get nuked quickly. Then the cybercriminals have to register new domains every time the old domains get suspended.

Below is a list of the domains that were associated with the Bozvanovna Botnet and that ZeuS Tracker came across of:

Firstseen Domain Registrar Registrant A record Status
2010-10-18 0luxdan.com DIRECTI Anton Petushkov Suspended
2010-10-30 jankult.com REGTIME Andrey Aleksandrovich Polev Suspended
2010-10-29 3color3.com REGTIME Andrey Aleksandrovich Polev Suspended
2010-11-05 file-system5.com REGTIME Anton Petushkov Suspended
2010-11-07 razaasmss.com REGTIME SP3 LTD Suspended
2010-11-22 olmsqq0.com DIRECTI Annamos Susdanil Suspended
2010-11-22 xinetdstart.com DIRECTI Petr Klimov Suspended
2010-11-25 vatnaya0.com DIRECTI SP3 LTD Suspended
2010-11-28 losma00s.com DIRECTI SP3 LTD Suspended
2010-11-28 goodysw.com DIRECTI Saoma LTD Suspended
2010-11-28 shanhaiswerat.com DIRECTI Saoma LTD Suspended
2010-11-16 oslolstal.com REGTIME Maksim A Roslyakov Inactive
2010-11-22 thechno000.com REGTIME Maksim A Roslyakov Suspended
2010-11-22 shawn00.com REGTIME Maksim A Roslyakov Suspended
2010-11-27 tundraburb.com DIRECTI Saoma ltd Suspended
2010-11-28 comeasuwewd.com DIRECTI SP3 LTD Suspended
2010-12-05 lloqqqcss.com REGTIME Maksim A Roslyakov Suspended
2010-12-06 eat0good.com REGTIME Max Pet Inactive
2010-12-08 yakonohadersh.com REGTIME Evgeniy Jaakson Active
2010-12-08 unagimakimoto.com REGTIME Evgeniy Jaakson Active
2010-12-10 poweroffbutson.com DIRECTI PrivacyProtect.org Suspended
2010-12-10 pilotsmradios.com DIRECTI PrivacyProtect.org Suspended
2010-12-13 arteowerpot.com DIRECTI Alexander Fulop Suspended
2010-12-13 sdartinagrest.com DIRECTI Alexander Fulop Suspended
2010-12-13 destopinterfo.com DIRECTI Alexander Fulop Suspended
2010-12-13 portityuwdef.com DIRECTI Alexander Fulop Suspended
2010-12-13 plotetihnask.com DIRECTI Alexander Fulop Suspended
2010-12-13 itroluikdired.com DIRECTI Alexander Fulop Suspended
2010-12-13 cernelpanished.com REGTIME Aaltonen Alexander Active
2010-12-13 openwdscript.com REGTIME Aaltonen Alexander Active
2010-12-13 tilimilitram.com DIRECTI PrivacyProtect.org Suspended
2010-12-14 polirtikolost.com DIRECTI Alexander Fulop Suspended
2010-12-16 werlijokityp.com DIRECTI Alexander Fulop Suspended
2010-12-16 jakudzahamato.com REGTIME Evgeniy Jaakson Active
2010-12-17 enkwertiout.com REGTIME Aaltonen Alexander Active
2010-12-17 lib32listends.com REGTIME Aaltonen Alexander Active
2010-12-17 fjfhbhwerkbfger.com REGTIME Evgeniy Jaakson Active
2010-12-19 werodtlejfcok.com DIRECTI PrivacyProtect.org Suspended

The first domain popped up on 2010-10-18, but it looks like the Bozvanovna gang has been operating at least since July 2010. Fortunately, it’s pretty easy to detect those domains that are associated with that specific botnet, because in most of the cases they are using the same URL scheme:

  • ZeuS Config file: 000XYYY.so
  • ZeuS Binary file: 000XYYY.exe
  • ZeuS Dropzone: i.php

Where X is an alphabetic letter (eg n or x) and Y a numeric character (eg 2 or 123).

Another point which pops up when we take a look at the list above is that most of the domains are hosted at a well known bulletproof hosting provider named VolgaHost and is located in Russia:

As number: AS29106
AS name: VolgaHost
ZeuS C&Cs: zeustracker.abuse.ch/monitor.php?as=29106
Spamhaus SBL: www.spamhaus.org/sbl/sbl.lasso?query=SBL83028
CIDR Report: www.cidr-report.org/cgi-bin/as-report?as=AS29106

According to CIDR Report, VolgaHost is being routed through AS39307 – DCOMM-UA-AS Digital Communications Ltd. Both ASs can be considered 100% malicious and should therefore not be routed. But let’s get back to the Bozvanovna botnet…

When I took a look at the ZeuS config files of the Bozvanovna botnet (they are using ZeuS version, I was really surprised as I saw how many financial instutions they are targeting. Below is a list of the targets of this ZeuS campaign which I’ve seen so far:

  • NatWest
  • HSBC
  • Nationwide
  • Lloyds TSB
  • Co-operative bank
  • Bank of Scotland
  • Yorkshire Bank
  • Halifax
  • Postbank
  • Sparkasse
  • Barclays
  • Commerzbank

Like most ZeuS campaigns, the Bozvanovna botnet is also using so-called Webinjects to phish credentials and steal money from the victims online bank account. The Bozvanovna botnet is using different Webinjects, some of them are implemented in the ZeuS config file and some of them are hosted on a server on the internet (to generate webinjects dynamically). In total I’ve seen two domains which are being used to implement the webinjects:

Domain Registrar Registrant A record AS number AS name
bozvanovna.com REGTIME Lubov Bozvanovna AS23352 Server Central Network
freetalkgamez.com REGTIME Aaltonen Alexander AS55720 GIGABIT-MY

Both domain names are currently active and what is even more interesting: Both domain names are using HTTPS with a valid certificate. This is actually not that uncommon: A lot of the recent ZeuS campaigns I’ve seen are using valid SSL certificates to avoid browser warnings on the client side during the ebanking session.

Bozvanovna SSL certificate

Bozvanovna SSL certificate

The webinjects as well as the server side scripts are (as in most of the cases) pretty complex. What I’ve seen in the Bozvanovna ZeuS campaign is that they can switch the targets of their interest pretty easily by using some kind of switcher to turn the campaign targeting a special bank on or off. Therefore they have defined a lot webinjects in the ZeuS config file for a lot of differnet financial institutions. As soon as they want to activate a campaign, they just have to change the switcher on the webinject server to on (by using this switcher they don’t have to change the config file every time they want to change the targets of their campaign). Let take a look at a target in the ZeuS config file of Bozvanovna:

Webinject Bozvanovna

The Target URL defines the target of this Webinject. The cybercriminal can then define at which point of the online banking site they want to replace or insert code (data_before / data_after). In this example ZeuS will add a lot of HTML- and Javascript code (data_inject) after the head-tag. What is interesting in this example is that the victims browser will load additional code from bozvanovna.com using java script. As already mentioned before you see that they are using HTTPS to load that code from bozvanovna.com.

If we take a look at this URL referenced in the ZeuS config file, we will see the following content:

var current_state = “offline”;

It looks like the cybercriminals have disable the phishing campaign against this target, but they can change that pretty easily:

Bozvanonvna Webinject Status

If we now take another look at the same URL again, we will see that there is now a lot of HTML code being served from bozvanovna.com and injected into the online banking session of the victim:

Activated Webinject

What we see on the code snippet above is that the phishing campaign against this target is now active. ZeuS will now phish the credentials for the online bank account and display the error message “We have problem with online service. Try again later, sorry for any inconvenience” to the victim.

We have seen that the webinjects are pretty complex. So we have to ask ourselves: Is this really going to work? I can tell you: yes it is! Below is a screenshot of a log which is generated by the webinject backend:

Bozvanovna Victims

Click to enlarge

The log file is huge and contains information about:

  • Timestamp
  • Victims IP address
  • Victims Bank
  • User Agent (Browser)
  • Customer Number (Account number)
  • Memorable Data
  • Passnumber
  • Available amount of cash

You can also see that some of the victims are using Firefox. So you can even be targeted by such phishing attacks when you are using Firefox for your online banking sessions. Another interesting point in the logfiles are the timestamps: They have attacked the Nationet Internet Banking from October 14th to October 21th. Afterwards it seems that they have stopped the phishing campaign against this bank for some time by turning of the switcher (about which I have talked before). Since December 17th they are targeting the bank again.

But there is one fact that scares me much more than anything else: I saw a couple of victims which have logged in to their online banking account which are tagged as Business or Corporate online. When I do a whois on the victims IPs I saw that these IPs belongs to corporate customers within Europe. In fact this means that the cybercriminals are also targeting business customer and therefore they have access to a lot of money (you can imagine that there is more money on a business bank account than on a bank account of a private customer).

If we look at the admin panel of the server which is hosting the webinjects, we see that the cybercriminals have already grabbed a lot of information about the bank accounts of their victims. Below is just a very small screenshot of the admin panel (called personal room) on bozvanovna.com

Bozvanovna Admin Panel

The bank account which I’ve outlined in the screenshot above currently has a balance of 371’535.26 pounds. And now imagine: The entry table has 600 bank accounts listed! So there is a lot of money on those accounts….

Finally, let’s take a short look at the Bozvanovna botnet. Fortunately I had the chance to sinkhole a handfull domains which are associated with the Bozvanovna botnet and which are being used to control the botnet. Therefore I’m able to provide some information about the Bozvanovna botnet geo location:

Bozvanovna Botnet Geolocation

As shown in the pie chart above, most infected clients are located in Great Britain (GB) and Germany (DE). That’s not really surprising, because the financial institutions targeted by the Bozvanovna ZeuS campaign are mainly located in those countries.

*** Conclusion ***
While ZeuS and Spyeye obviously merged some months ago, we can see that ZeuS is still around (at least for now). The Bozvanovna ZeuS campaign is a good example on how sophisticated and complex the attacks on finanical insitutions are today.

If you want to mitigate the ZeuS threat in your network, I recommend you use one of ZeuS Tracker blocklists:


Follow me on Twitter: http://twitter.com/abuse_ch