Tag Archives: ZeuS Tracker

ZeuS- and SpyEye Tracker goes Spamhaus

Today The Spamhaus Project, a well known non-profit organisation fighting cybercrime in the internet, released a new list called “Spamhaus Botnet C&C List” (BGPCC) which is implemented at the router level using the Border Gateway Protocol (BGP). I’m proud to announce that the newly launched list also contains data provided by ZeuS Tracker and SpyEye Tracker.

The list is described on Spamhaus website as follow:

The Spamhaus Botnet Command and Control (C&C) list is an advisory “drop all traffic” list consisting of single IPv4 addresses. The feed does not contain any subnets or CIDR prefixes longer than /32. The servers on these IP addresses host botnet C&C nodes. Botnet C&C nodes are servers that control the individual malware-infected computers (bots) that together form a botnet. Bots regularly contact botnet C&C nodes so that the malware on the bots can transfer stolen data to the C&C node for delivery to the botnet’s owner, and to obtain instructions for what they are to do next. Once a botnet contacts a C&C node, it receives instructions to send spam, host spammed web sites, attack other hosts on the internet, and provide name service (DNS) for the domains used in those attacks.

Reference: http://www.spamhaus.org/bgpf/

As soon as ZeuS- or SpyEye Tracker identifies a new botnet C&C, information will be sent to Spamhaus automatically which will result in a listing on Spamhaus Botnet C&C list within a few minutes. In fact this means that networks using this list are protected from malicious botnet traffic from/to botnet controllers listed on ZeuS- or SpyEye Tracker automatically and without any delay.

By providing Tracker data to Spamhaus, abuse.ch continues its fight against cybercrime and bad actors on the internet.

If you are an ISP or network provider you might want to have a look at the Spamhaus BGP feed.

*** Further reading ***

ZeuS Tracker Online Again With New Features

As most of you probably noticed, ZeuS Tracker was offline for a whole week (2010-09-03 to 2010-09-14). During this time I made several improvements and added new features to ZeuS Tracker.

But before I go on with the list of new features, I would like to point your attention to another topic:

I’m currently working on a new project which should help operators of large networks (like ISPs, governmental organizations and NGOs) to mitigated bad traffic in their network. The project is currently in BETA and I’m searching for administrators which have the possibility to test the functions of the new project in a test network environment. Unfortunately I’m currently not able to disclose more information about the new project. If you are a network operator of a large network and you willing to support abuse.ch, please contact me using the contact form.

Back to the main topic: Below is a list of new features on ZeuS Tracker.

New features

  • ZT now records the time how long a ZeuS host is up (uptime)
  • ZeuS Tracker now tracks FakeURLs used by the ZeuS Crimeware
  • The monitor page now displays the HTTP status code returned by the ZeuS URLs (200, 404 etc)
  • If available, the monitor page displays the hostname for a ZeuS host
  • Added Virustotal support for ZeuS binaries
  • ZT now provides the Builder versions with which the ZeuS config files have been created
  • Added Google Maps to the ZT IP page
  • Added IP- and domain blocklist for Squid, iptables and Windows Host file


  • ZeuS Tracker cron script has been fully rewritten
  • The cron script now runs in threaded mode (faster in checking ZeuS hosts)
  • Statistic page now displays some additional statistics (Spamhaus SBL stats, Builder versions etc).

Additionally, I’ve made a huge ZeuS Tracker database cleanup and removed old and non-resolving hosts.

Automated binary submissions to the AV industry

ZeuS Tracker now supports the AV industry by submitting new ZeuS binaries to the AV vendors as soon as they appear on the ZeuS Tracker. I’ve made special agreements with some of the AV vendors listed below which have give the ZeuS Tracker direct access to their Sandbox systems. Some of the AV vendors are doing a great job which makes it possible that a new pattern is being released just a few minutes after ZT submitted the binary to the sandbox (using reputation based detection systems).

Currently, the following AV vendors receive a real time binary feed from ZeuS Tracker:

  • Avast
  • AVG
  • Avira
  • CA
  • Comodo
  • BitDefender
  • Emsisoft
  • Eset
  • eSafe
  • Finjan
  • Fortinet
  • G-Data
  • Ikarus
  • Kaspersky
  • Prevx
  • Sunbelt
  • F-Secure
  • McAfee
  • Norman
  • Panda
  • Rising
  • Sophos
  • Spybot
  • Symantec
  • Trend Micro

I hope you enjoy the new features of ZeuS Tracker!

PS: I’m currently searching a sponsorship for a SSL certificate for the ZeuS Tracker. If you are able to provide a SSL Certificate to ZeuS Tracker I would love if you contact me using the contact form. Any help would be appreciated!