Tag Archives: ZeuS

Dutch Spam Campaign Hits Switzerland With P2P ZeuS

Weird things are going on here in Switzerland. Today I’ve seen a spam campaign sent out by the Cutwail Spambot (on of the biggest spam botnets in the world), hitting Switzerland with the P2P version of ZeuS (aka P2P ZeuS aka ZeuSv3 aka Gameover ZeuS). The spam email looks like this:

From: reportbank@ag.ch
Subject: Re: onjuist ingevulde NATXXXX belastingformulier

Helaas is u op de hoogte dat je hebt fouten gemaakt bij het invullen van de laatste belastingformulier applicatie (ID: XXXXX).
vindt u het advies van onze fiscalisten Op deze link
( 1 minuut Wacht tot rapport zal laden)

Wij vragen u om corrigeer de fouten en bestand de herziene aangifte aan uw lokale belastingkantoor zo snel mogelijk.

Kanton Aargau
Sachbearbeiterin Wehrpflichtersatzverwaltung
Departement Gesundheit und Soziales
Abteilung Militär und Bevölkerungsschutz
Rohrerstrasse 7, Postfach, 3352 Aarau
Tel.: +41 (0)62 362 XX XX
Fax: +41 (0)62 365 XX XX

What is weird with this spam campaign is the fact that it imitates a social department of a Swiss canton called Aargau (German), but the text in the email is written in Dutch. It might be hard to believe, but most Swiss citizens don’t speak Dutch at all…

Additionally, I’ve seen that Cutwail is sending out this spam campaign to non-CH mailboxes as well (.net, .com etc.). So it is not yet clear whether the intend of the criminals behind this malware campaign is to hit Swiss citizens or not (I don’t think that any foreign citizens knows the canton Aargau…).

The spam email contains a hyperlink to a hijacked website, for example:


The page looks like this:

For a normal visitor the page doesn’t look suspect at all, its a copy of the official web page of the canton Aargau (swiss canton). However, if you take a closer look at the html source of the advertised URL you will notice malicious Java script code which will cause that the visitors web browser will load a content from foreign URL hosted in Korea:


africanbeat.net points to

[ Network Information ]
IPv4 Address : – (/13)
Service Name : broadNnet
Organization Name : SK Broadband Co Ltd
Organization ID : ORG3930
Address : 267, Seoul Namdaemunno 5(o)-ga Jung-gu SK NamsanGreen Bldg.
Zip Code : 100-711
Registration Date : 20040402

The mentioned website (africanbeat.net) is likely operated by cybercriminals and hosting a exploit kit called “Blackhole”. Blackhole is able to exploit various (known) vulnerabilities in the visitors web browser (eg. Internet Explorer or Firefox) but as well as in 3rd party browser plugins like Adobe Flash, Adobe Reader and Sun Java. If the software installed on the visitors computer is not fully patched, blackhole will exploit a vulnerability and will use it to install an ebanking Trojan called P2P ZeuS.

Since P2P ZeuS is not using any centralized (botnet) infrastructure, there is no central botnet C&C domain/ip you could block on your company’s gateway. However, P2P ZeuS is using P2P functionality, communicating with other infected bots around the globe using a high TCP/UDP port. In fact you can mitigate this threat by blocking any outgoing TCP and UDP port higher than 1024 on your firewall (as a side note: you should restrict outgoing traffic on your firewall anyway).

Additionally, I recommend everyone to block the following domain names and IP address at the network edge:

  • (Blackhole Exploit Kit hosting)
  • africanbeat.net (Blackhole Exploit Kit hosting)
  • (Malware DNS server)

*** Further reading ****

A follow me on Twitter: https://twitter.com/abuse_ch

ZeuS Gets More Sophisticated Using P2P Techniques

Recently, I’ve seen some major modifications in ZeuS murofet/LICAT.
Murofet (also know as LICAT) is a modified version of ZeuS, which is using a so called Domain Generation Algorithm (DGA) to calculate the current botnet C&C domain.

However, a few weeks ago I’ve noticed that no new murofet/LICAT C&C domain names have been registered by the criminals. I was a little bit confused and decided to analysed a recent ZeuS sample (spread through a Spam campaign targeting US citizens). When I ran the binary in my sandbox, I’ve seen some weird UDP traffic. My first guess was: This is not ZeuS. But after I’ve analysing the infection I came to the conclusion that it is actually ZeuS.

*** A new (custom) version of ZeuS ***

The new version of ZeuS is no longer using a DGA to determine the current C&C domain, therefore it’s also not possible to pre-calculate the C&C domains that will be used in the near future. Obviously, the criminals switched back to a hardcoded C&C domain which is stored in the ZeuS config file.

The *new* version of ZeuS (v3?) implements a Kademlia-like P2P botnet. Similar to the Miner botnet, ZeuS is now using a “IP list” which contains IP addresses of other drones participating in the P2P botnet. An initial list of IP addresses is hardcoded in the ZeuS binary. As soon as a computer gets infected, ZeuS will try to find a active node by sending UDP packets on high ports. If the bot hits an active node, the remote node will response with a list of current IP addresses that are participating in the P2P network. Additionally, the remote node will tell the requesting node which binary- and config version he is running. If the remote node is running a more recent version, the bot will connect to it on a TCP high port to download a binary update and/or the current config file. Afterwards the bot will connect to the C&C domain listed in the config file using HTTP POST.

The HTTP protocol is only being used to drop the stolen data to the Dropzone and/or to receive commands from the botnet master. In fact this means there is no longer a BinaryURL or a ConfigURL that ZeuS Tracker can track. It also makes it quite difficult for security researchers to keep track of the targets. What is interesting is the fact that if everything fails (=no working/active P2P drone can be found and the main C&C is dead) the bot will use the DGA as fallback mechanism.

At first glance these are bad news. But fortunately the new mechanism also has benefits: There is just one ZeuS C&C active at the same time, so every time the domain name gets suspended/terminated, the criminals have to push out a new config file.

*** ZeuS sinkhole data ***

During the past few weeks I was able to sinkhole several ZeuS botnet C&Cs that were associated with this new ZeuS version. The chart below shows up the number of unique IP addresses that are associated with this ZeuS version and hitting my sinkhole. The highest IP count was about 100k unique IPs in 24hrs.

The Geo location of this ZeuS botnet looks like this:

As we can see on the chart above, India seems to have the most infected systems, followed by Italy, the United Staates and Greece. Please consider that this chart just shows the unique IPs for each country. It does not count the unique bot IDs.

As usual, the sinkhole data is being sent to Shadowserver. If you are a network provider / ISP please make sure that you subscribe Shadowservers drone feed to receive reports regarding infected drones in your network/AS (the service is free of charge).

*** Conclusion ***
What I can say so far is that the encryption of this new (custom) version of ZeuS haven’t changed. You should watch out for the following strings in your web proxy logs, which are being used as dropzone for this ZeuS version (using HTTP POST):

  • /gameover.php
  • /gameover2.php
  • /gameover3.php

Since I’ve started to track this ZeuS campaign, I’ve collected more than 270 unique config files.

Since the source code of ZeuS got leaked back in the beginning of 2011, several so called custom builds popped up in the underground which are based on the leaked source code. A good example is a recently on opensc.ws introduced bot kit called Ice IX.

So are we talking about a *new* ZeuS version which we will see being sold in the underground soon? I don’t think so. This seems to be just another custom build. But there is one thing that makes this custom build unique: This build (and the previous murofet/LICAT version) is much more sophisticated than all other ZeuS builds I’ve seen before. Also, when I take a look at the way they operate it looks like this botnet has several customers using the same botnet infrastructure.

Since the guy who wrote this version of ZeuS seems to have a lot of knowledge, it could be that Slavik (the author of the original ZeuS version) has his hands on this ZeuS build. We all know how successful ZeuS was (and still is). So why should Slavik leave this business? I believe that Slavik was unwell with the fact that his trojan was in the spotlight of security researchers, security industry and LEA. Also, ZeuS has attracted a lot of script kiddies and smaller criminal groups which weren’t able to pay that much of money for a product. Slavik probably dropped this business and released the source code for public to get out of this situation. But I believe that he is still developing on ZeuS, but only custom build(s) for a small circle of customers who are able to pay a lot more money that small fishes. This wouldn’t attract that much attention from LEA an security folks, but will bring in a lot more money than dealing with standard customers.

We all know that the fight between criminals and security researchers is a cat and mouse game. I’m sure this wasn’t the last change made to ZeuS and we will continue to see efforts from criminals to make their malware stay more under the radar.

Follow me on Twitter: