Tag Archives: Zbot

Massive Drop in Number of Active Zeus C&C Servers

I always check the ZeuS Tracker statistics to get some information about the trend of the active ZeuS Command&Control servers. This morning I was really surprised what I saw on the ZeuS Tracker statistic page:

Massive drop of active ZeuS C&C servers on 2010-03-09

As you can see in the chart above, on March 9th 2010, the number of active ZeuS C&C servers dropped from 249 to 181! The first thing I thought was: There has to be some problem with the ZeuS Tracker cron script. I checked the script – everything looked ok. So the massive drop of ZeuS C&C server is fact. I noticed that six of the worst ZeuS hosting ISP suddently dissapeared from the ZeuS Tracker.

I verified the subnets of the affected ISP and came to the conclusion that Troyak-as (AS50215), the upstream provider for the six worst ZeuS hosting ISPs, was cut from the internet on 2010-03-09. As a result, the following ISPs lost their internet connetivity which finally resulted in a massiv drop in the number of active ZeuS C&C servers:

AS number: AS50390
AS name: SMILA-AS Pavlenko Tetyana Oleksandrivna
Status: Withdrawn
# of ZeuS C&Cs: 17
Spamhaus SBL: Not listed

AS number AS42229
AS name: MARIAM-AS PP Mariam
Status: Withdrawn
# of ZeuS C&Cs: 18
Spamhaus SBL: #SBL86729

AS number: AS49934
AS name: VVPN-AS PE Voronov Evgen Sergiyovich
Status: Withdrawn
# of ZeuS C&Cs: 8
Spamhaus SBL: #SBL82374

AS number: AS44107
AS name: PROMBUDDETAL-AS Prombuddetal LLCst
Status: Withdrawn
# of ZeuS C&Cs: 5
Spamhaus SBL: #SBL82408

AS number: AS50033
Status: Withdrawn
# of ZeuS C&Cs: 8
Spamhaus SBL: #SBL85667

AS number: AS12604
AS name: CITYGAME-AS Kamushnoy Vladimir Vasulyovich
Status: Withdrawn
# of ZeuS C&Cs: 12
Spamhaus SBL: #SBL81900

In total, 68 went down – It was the biggest drop in number of ZeuS C&C servers I’ve ever seen! Some guys have done a great job 😀

*** UPDATE 21:03 (UTC) ***
Bad news – it seem that TROYAK-AS has found a new upstream provider to serve their malware to the world:

AS50215 TROYAK-AS Starchenko Roman Fedorovich

Upstream Adjacent AS list
AS44051 YA-AS Professional Communication Systems

Source: http://cidr-report.org/cgi-bin/as-report?as=AS50215

As you can see on Robtex, YA-AS has just one upstream provider called NASSIST-AS (AS29632). Let’s hope that this is just the last breath of TROYAK-AS and that NASSIST-AS will cut their peerings with YA-AS quickly.

*** STATUS 2010-03-11 07:15 (UTC) ***
I just took another look into the ZeuS Tracker statistics – the number of active ZeuS C&Cs is still falling! In total, I’ve counted 104 ZeuS C&C servers which are no longer reachable from the internet!

ZeuS Tracker statistics as of 2010-03-11

As mentioned on the last update from 21:03 UTC, Troyak just found a new upstream provider. This means: Troyak-AS is reconnected to the internet since yesterday. Anyway, I just checked the those ZeuS C&C servers which where routed by Troyak – all of them are still offline.

*** UPDATE 2010-03-11 11:50 (UTC) ***
It’s a very busy day – Troyak is trying hard to get back online. This morning they disappeared again from the global BGP routing table and are now being routed by RTCOMM-AS (AS8342 RTComm.RU), located in Russia:

AS50215 TROYAK-AS Starchenko Roman Fedorovich

Upstream Adjacent AS list
AS8342 RTCOMM-AS RTComm.RU Autonomous System

*** UPDATE 2010-03-11 21:30 (UTC)
Bad news: Since Troyak started their peering with RTCOM-AS, the number of active ZeuS C&C servers has increasted from 149 up to 191. For now, more than 40 ZeuS C&C servers are back online! This means that the cybercriminals are now able to move the stolen data to a safe place or a backup server. Additionally, the cybercriminals are able to update their config files served to the infected clients to set up a fallback server (if Troyak will disappear from the internet again).

*** UPDATE 2010-03-12 11:10 (UTC) ***
Another update: Troyak has changed their upstream provider again and is now being routed by NLINE-AS (AS25189 – JSC Nline):

AS50215 TROYAK-AS Starchenko Roman Fedorovich

Upstream Adjacent AS list
AS25189 NLINE-AS JSC Nline

Further links

An Iframer for Dummies

Today I came accross an Iframer called Ziframer. But first of all: What is an Iframer?

An Iframer is a script which is used to test stolen FTP accounts and inject malicious code into web pages. If an FTP account is valid, the Iframer automaticly puts an Drive-by infection on the specified html, php or asp files.

In this case the Iframer is a PHP-script which is used to spread a variant of ZeuS (aka Zbot/WSNPoem). The Iframer is called “Ziframer” and is sold for 30$. The PHP script can bee launched via command line or accessed using a web browser:

Ziframer v1.3

The script is very simple and just needs a list of FTP accounts which the script should check. As you can see on the screenshot above, the input file (ftp.txt) currently contains more then 18’000 stolen FTP credentials:

Stolen FTP credentials title=

In the file “iframe.txt” the attacker can define the (JavaScript- or HTML-) code he would like to inject:

Malicious Iframe

The cyberciminal has also the possibility to set a timeout, a file where the script will report invalid FTP credentials (bad.txt) and a file which will collect valid FTP credentials (good.txt). The screenshot below shows you the script while working through the list of stolen FTP credentials (ftp.txt):


Last but not least the attacker has to define where he wants to put the malicious code. He has the following options:

start page – Inject the code at the top of the page
end – Inject the code at the bottom of the page
change – Replace a text or a string in the page with the malicious code
check – Check if the malicious code is already on the page

Now the cybercriminal has just to press the “START” button to run the script. The Iframer script will now get through the FTP accounts and inject the malicious code which is defined in the file “iframe.txt” (see this one).

To make the use of the script more user friendly, the script has a readme file which describes the usage of the script in russian and english.

Content of readme.html (english):

This script is designed to test the FTP accounts on the validity, insert the code into files on the FTP.

[*] Console and Web interface
[*] Stabilno runs under Windows and Nix BSD
[*] Check for validity ftp
[*] Paste the Code (at the beginning or end of file. Or a full overwrite the file to your text – defeys)
[*] Strange Komentirovanie iframe’ov
[*] Convenience logs [*] All akki (valid \ invalid) remain in the database.
[*] The names of files, to insert the code can be set regExp’om, such as index \ .(.*)[_ b] or [_b ](.*). php | html | asp | htm.
[*] It takes on all the folders on the site.
[*] Function update replaces your old code to the new (for example, changed the addresses fryma)

[!] Recommend to use the console interface

Open a console (Start-> Run-> cmd)
Write to the path to php.exe for example c: \ php \ php.exe
then write the path to the script (zifr.php)
For example the so-c: \ php \ php.exe D: \ soft \ ziframer \ zifr.php
the script will run and display a certificate.

Open the console / ssh
Write to php then write the path to the script (zifr.php)
For example the so-php / home / user / soft / ziframer / zifr.php
the script will run and display a certificate.

-file -f Path to the file to your FTP
-code -c path to a file with code introduced
-inject -i Where vstavlt code three options
start – top of the page
end – in the bottom of the page
change – replace the text in the page code
-time -t Timeout for connecting to the FTP
-del -d With this option chyuzhye ifremy komentiruyutsya
-update -u Update your code with this option, the script ishet inserted your code and replaces it with a new
-good -g file where badat skladyvatsya working FTP
-bad -b file where badat skladyvatsya not working FTP
-hide -h If you enable this option, your code will not markerovatsya but you will not be able to use the function update
-restore -r Continue from the last FTP if you had not had time to do the whole list you can start from where you stopped


The Ziframe script is very simple an cheap. Even a n00b is able to use it.

It also demonstrates how efficiently and easily cybercriminals can distribute their malicious code to tremendous numbers of stolen FTP accounts. Automated mechanisms like this one shows how infection vectors are more and more shifted from E-mails with malicious attachments to Drive-by. The modular approach allows the cybercriminal to feed the script with different lists of compromised accounts that can be acquired on the underground market.