Tag Archives: ZeuS

The Bozvanovna ZeuS Botnet

This week I’ve taken the opportunity to take a closer look at the current ZeuS campaigns. A few of them keep popping up again and again, so I’ve tried to get some more information about those botnets, their targets as well as the infrastructure that the cybercriminals are using.

In this first blog post I will talk about a ZeuS botnet which I call the “Bozvanovna Botnet”, which is being spread using drive-by exploits (hopefully I will find the time to blog about the other botnets that I’ve found too…).

First of all, let’s take a look at the botnet Command&Control infrastructure: The cybercriminals have registered a pretty big amount of domains to serve ZeuS configs and binaries as well as to provide a dropzone for the infected clients (bots) to upload the stolen information. The reason for this is pretty simple: In most cases the domains that get listed on ZeuS Tracker will get nuked quickly. Then the cybercriminals have to register new domains every time the old domains get suspended.

Below is a list of the domains that were associated with the Bozvanovna Botnet and that ZeuS Tracker came across of:

Firstseen Domain Registrar Registrant A record Status
2010-10-18 0luxdan.com DIRECTI Anton Petushkov Suspended
2010-10-30 jankult.com REGTIME Andrey Aleksandrovich Polev Suspended
2010-10-29 3color3.com REGTIME Andrey Aleksandrovich Polev Suspended
2010-11-05 file-system5.com REGTIME Anton Petushkov Suspended
2010-11-07 razaasmss.com REGTIME SP3 LTD Suspended
2010-11-22 olmsqq0.com DIRECTI Annamos Susdanil Suspended
2010-11-22 xinetdstart.com DIRECTI Petr Klimov Suspended
2010-11-25 vatnaya0.com DIRECTI SP3 LTD Suspended
2010-11-28 losma00s.com DIRECTI SP3 LTD Suspended
2010-11-28 goodysw.com DIRECTI Saoma LTD Suspended
2010-11-28 shanhaiswerat.com DIRECTI Saoma LTD Suspended
2010-11-16 oslolstal.com REGTIME Maksim A Roslyakov Inactive
2010-11-22 thechno000.com REGTIME Maksim A Roslyakov Suspended
2010-11-22 shawn00.com REGTIME Maksim A Roslyakov Suspended
2010-11-27 tundraburb.com DIRECTI Saoma ltd Suspended
2010-11-28 comeasuwewd.com DIRECTI SP3 LTD Suspended
2010-12-05 lloqqqcss.com REGTIME Maksim A Roslyakov Suspended
2010-12-06 eat0good.com REGTIME Max Pet Inactive
2010-12-08 yakonohadersh.com REGTIME Evgeniy Jaakson Active
2010-12-08 unagimakimoto.com REGTIME Evgeniy Jaakson Active
2010-12-10 poweroffbutson.com DIRECTI PrivacyProtect.org Suspended
2010-12-10 pilotsmradios.com DIRECTI PrivacyProtect.org Suspended
2010-12-13 arteowerpot.com DIRECTI Alexander Fulop Suspended
2010-12-13 sdartinagrest.com DIRECTI Alexander Fulop Suspended
2010-12-13 destopinterfo.com DIRECTI Alexander Fulop Suspended
2010-12-13 portityuwdef.com DIRECTI Alexander Fulop Suspended
2010-12-13 plotetihnask.com DIRECTI Alexander Fulop Suspended
2010-12-13 itroluikdired.com DIRECTI Alexander Fulop Suspended
2010-12-13 cernelpanished.com REGTIME Aaltonen Alexander Active
2010-12-13 openwdscript.com REGTIME Aaltonen Alexander Active
2010-12-13 tilimilitram.com DIRECTI PrivacyProtect.org Suspended
2010-12-14 polirtikolost.com DIRECTI Alexander Fulop Suspended
2010-12-16 werlijokityp.com DIRECTI Alexander Fulop Suspended
2010-12-16 jakudzahamato.com REGTIME Evgeniy Jaakson Active
2010-12-17 enkwertiout.com REGTIME Aaltonen Alexander Active
2010-12-17 lib32listends.com REGTIME Aaltonen Alexander Active
2010-12-17 fjfhbhwerkbfger.com REGTIME Evgeniy Jaakson Active
2010-12-19 werodtlejfcok.com DIRECTI PrivacyProtect.org Suspended

The first domain popped up on 2010-10-18, but it looks like the Bozvanovna gang has been operating at least since July 2010. Fortunately, it’s pretty easy to detect those domains that are associated with that specific botnet, because in most of the cases they are using the same URL scheme:

  • ZeuS Config file: 000XYYY.so
  • ZeuS Binary file: 000XYYY.exe
  • ZeuS Dropzone: i.php

Where X is an alphabetic letter (eg n or x) and Y a numeric character (eg 2 or 123).

Another point which pops up when we take a look at the list above is that most of the domains are hosted at a well known bulletproof hosting provider named VolgaHost and is located in Russia:

As number: AS29106
AS name: VolgaHost
ZeuS C&Cs: zeustracker.abuse.ch/monitor.php?as=29106
Spamhaus SBL: www.spamhaus.org/sbl/sbl.lasso?query=SBL83028
CIDR Report: www.cidr-report.org/cgi-bin/as-report?as=AS29106

According to CIDR Report, VolgaHost is being routed through AS39307 – DCOMM-UA-AS Digital Communications Ltd. Both ASs can be considered 100% malicious and should therefore not be routed. But let’s get back to the Bozvanovna botnet…

When I took a look at the ZeuS config files of the Bozvanovna botnet (they are using ZeuS version, I was really surprised as I saw how many financial instutions they are targeting. Below is a list of the targets of this ZeuS campaign which I’ve seen so far:

  • NatWest
  • HSBC
  • Nationwide
  • Lloyds TSB
  • Co-operative bank
  • Bank of Scotland
  • Yorkshire Bank
  • Halifax
  • Postbank
  • Sparkasse
  • Barclays
  • Commerzbank

Like most ZeuS campaigns, the Bozvanovna botnet is also using so-called Webinjects to phish credentials and steal money from the victims online bank account. The Bozvanovna botnet is using different Webinjects, some of them are implemented in the ZeuS config file and some of them are hosted on a server on the internet (to generate webinjects dynamically). In total I’ve seen two domains which are being used to implement the webinjects:

Domain Registrar Registrant A record AS number AS name
bozvanovna.com REGTIME Lubov Bozvanovna AS23352 Server Central Network
freetalkgamez.com REGTIME Aaltonen Alexander AS55720 GIGABIT-MY

Both domain names are currently active and what is even more interesting: Both domain names are using HTTPS with a valid certificate. This is actually not that uncommon: A lot of the recent ZeuS campaigns I’ve seen are using valid SSL certificates to avoid browser warnings on the client side during the ebanking session.

Bozvanovna SSL certificate

Bozvanovna SSL certificate

The webinjects as well as the server side scripts are (as in most of the cases) pretty complex. What I’ve seen in the Bozvanovna ZeuS campaign is that they can switch the targets of their interest pretty easily by using some kind of switcher to turn the campaign targeting a special bank on or off. Therefore they have defined a lot webinjects in the ZeuS config file for a lot of differnet financial institutions. As soon as they want to activate a campaign, they just have to change the switcher on the webinject server to on (by using this switcher they don’t have to change the config file every time they want to change the targets of their campaign). Let take a look at a target in the ZeuS config file of Bozvanovna:

Webinject Bozvanovna

The Target URL defines the target of this Webinject. The cybercriminal can then define at which point of the online banking site they want to replace or insert code (data_before / data_after). In this example ZeuS will add a lot of HTML- and Javascript code (data_inject) after the head-tag. What is interesting in this example is that the victims browser will load additional code from bozvanovna.com using java script. As already mentioned before you see that they are using HTTPS to load that code from bozvanovna.com.

If we take a look at this URL referenced in the ZeuS config file, we will see the following content:

var current_state = “offline”;

It looks like the cybercriminals have disable the phishing campaign against this target, but they can change that pretty easily:

Bozvanonvna Webinject Status

If we now take another look at the same URL again, we will see that there is now a lot of HTML code being served from bozvanovna.com and injected into the online banking session of the victim:

Activated Webinject

What we see on the code snippet above is that the phishing campaign against this target is now active. ZeuS will now phish the credentials for the online bank account and display the error message “We have problem with online service. Try again later, sorry for any inconvenience” to the victim.

We have seen that the webinjects are pretty complex. So we have to ask ourselves: Is this really going to work? I can tell you: yes it is! Below is a screenshot of a log which is generated by the webinject backend:

Bozvanovna Victims

Click to enlarge

The log file is huge and contains information about:

  • Timestamp
  • Victims IP address
  • Victims Bank
  • User Agent (Browser)
  • Customer Number (Account number)
  • Memorable Data
  • Passnumber
  • Available amount of cash

You can also see that some of the victims are using Firefox. So you can even be targeted by such phishing attacks when you are using Firefox for your online banking sessions. Another interesting point in the logfiles are the timestamps: They have attacked the Nationet Internet Banking from October 14th to October 21th. Afterwards it seems that they have stopped the phishing campaign against this bank for some time by turning of the switcher (about which I have talked before). Since December 17th they are targeting the bank again.

But there is one fact that scares me much more than anything else: I saw a couple of victims which have logged in to their online banking account which are tagged as Business or Corporate online. When I do a whois on the victims IPs I saw that these IPs belongs to corporate customers within Europe. In fact this means that the cybercriminals are also targeting business customer and therefore they have access to a lot of money (you can imagine that there is more money on a business bank account than on a bank account of a private customer).

If we look at the admin panel of the server which is hosting the webinjects, we see that the cybercriminals have already grabbed a lot of information about the bank accounts of their victims. Below is just a very small screenshot of the admin panel (called personal room) on bozvanovna.com

Bozvanovna Admin Panel

The bank account which I’ve outlined in the screenshot above currently has a balance of 371’535.26 pounds. And now imagine: The entry table has 600 bank accounts listed! So there is a lot of money on those accounts….

Finally, let’s take a short look at the Bozvanovna botnet. Fortunately I had the chance to sinkhole a handfull domains which are associated with the Bozvanovna botnet and which are being used to control the botnet. Therefore I’m able to provide some information about the Bozvanovna botnet geo location:

Bozvanovna Botnet Geolocation

As shown in the pie chart above, most infected clients are located in Great Britain (GB) and Germany (DE). That’s not really surprising, because the financial institutions targeted by the Bozvanovna ZeuS campaign are mainly located in those countries.

*** Conclusion ***
While ZeuS and Spyeye obviously merged some months ago, we can see that ZeuS is still around (at least for now). The Bozvanovna ZeuS campaign is a good example on how sophisticated and complex the attacks on finanical insitutions are today.

If you want to mitigate the ZeuS threat in your network, I recommend you use one of ZeuS Tracker blocklists:


Follow me on Twitter: http://twitter.com/abuse_ch

Microsoft Adds ZeuS Detection To MSRT

As of October 12th 2010, the MSRT Team added detection for the ZeuS crimeware (also known as Zbot and WSNPoem) on Microsoft’s Malicious Software Removal Tool (MSRT):

For those who don’t know: MSRT is being distributed to WinXP, WinVista and Win7 automaticly using Windows Update Service. Of course these are really great news but the thing which worries me a little bit is the fact that Microsoft waited years until they finally added detection for the ZeuS Crimeware. ZeuS has been a big threat in the cyberspace for years and has already managed to steal millions of dollars.

MSRT’s ZeuS detection rate

I thought it would be a good idea to test MSRT’s detection for ZeuS by running some quick tests. I’ve tested 20 ZeuS infection binaries (v2) by infecting a VM with the following test conditions:

MSRT Version: Kb890830 (2010-10-12)

Below are the results of my tests:

Infection binary (MD5) ZeuS Version MSRT Result Virustotal
a7d9996744d7129dc6af94d5827006e0 missed 4/43 (9.30%)
4e6114b5cbfbd5eeb0cea380c3416b2a detected 32/43 (74.40%)
20d1b5c8b868ecf314d5b7d50188f55f detected 38/41 (92.70%)
70bda659bf0852c1ce96532df3b57021 detected 20/43 (46.50%)
a2ba908c3fe7f2bd99ad0c6e31c24995 detected 6/43 (14.00%)
e206407083a772a015a21f0398f0fbf0 missed 8/43 (18.60%)
ace6aec48663a0179af2e60cceb2ebb4 missed 10/43 (23.30%)
92b58d067b13f47d14a4747af07b2d10 detected 6/41 (14.60%)
6250a5c48f5aff26474e9eaff4d0520c missed 6/41 (14.60%)
d6c169be176e60a67780feb48327b2ab detected 12/43 (27.90%)
21102185c207602505d45019f5d782b9 missed 10/43 (23.30%)
fc797f7b8a20ab4e6ce2df39ae41069f missed 20/42 (47.60%)
e8f83eefe8069c360c73bf7127426155 detected 33/43 (76.70%)
cf11173481abb10e92246be92d8304dc detected 17/42 (40.50%)
b64b598e6b5106d770f94c659bc994d5 missed 0/43 (0.00%)
359316aa5901613a3ad4f9265a93c600 detected 13/42 (31.00%)
2c9702bf84a7c9a094109ff2fe0a7910 missed 3/42 (7.10%)
b0fe715bce28f9c3e48520f23c7cf8fe detected 10/43 (23.30%)
d52d8bea0bd22be5382e05b9e787ff5d missed 3/43 (7.00%)
78edc0048427103a3f785fe8ac453d30 missed 1/43 (2.30%)
Total   Detected: 10, Missed: 10  

Microsoft’s Malicious Software Removal Tool was able to identify 10 out of 20 infected systems which is a detection rate of 50%.


During the tests I noticed that in most of the cases you need to run a fullscan with MSRT to detect a ZeuS infection. Please also note that these are some quick tests from my side and don’t necessarily represent the real detection rate of MSRT on ZeuS.

I’m really curious about the number of infections detected by MSRT world wide. Hopefully Microsoft will publish some data in the next few days.

PS: You can also follow abuse.ch on Twitter: twitter.com/abuse_ch