Tag Archive for 'ZeuS Tracker'

Page 3 of 5

Massive Drop in Number of Active Zeus C&C Servers

I always check the ZeuS Tracker statistics to get some information about the trend of the active ZeuS Command&Control servers. This morning I was really surprised what I saw on the ZeuS Tracker statistic page:


Massive drop of active ZeuS C&C servers on 2010-03-09

As you can see in the chart above, on March 9th 2010, the number of active ZeuS C&C servers dropped from 249 to 181! The first thing I thought was: There has to be some problem with the ZeuS Tracker cron script. I checked the script – everything looked ok. So the massive drop of ZeuS C&C server is fact. I noticed that six of the worst ZeuS hosting ISP suddently dissapeared from the ZeuS Tracker.

I verified the subnets of the affected ISP and came to the conclusion that Troyak-as (AS50215), the upstream provider for the six worst ZeuS hosting ISPs, was cut from the internet on 2010-03-09. As a result, the following ISPs lost their internet connetivity which finally resulted in a massiv drop in the number of active ZeuS C&C servers:

AS number: AS50390
AS name: SMILA-AS Pavlenko Tetyana Oleksandrivna
Subnet: 193.105.0.0/24
Status: Withdrawn
# of ZeuS C&Cs: 17
Spamhaus SBL: Not listed

AS number AS42229
AS name: MARIAM-AS PP Mariam
Subnet: 91.201.196.0/22
Status: Withdrawn
# of ZeuS C&Cs: 18
Spamhaus SBL: #SBL86729

AS number: AS49934
AS name: VVPN-AS PE Voronov Evgen Sergiyovich
Subnet: 193.104.41.0/24
Status: Withdrawn
# of ZeuS C&Cs: 8
Spamhaus SBL: #SBL82374

AS number: AS44107
AS name: PROMBUDDETAL-AS Prombuddetal LLCst
Subnet: 91.201.28.0/22
Status: Withdrawn
# of ZeuS C&Cs: 5
Spamhaus SBL: #SBL82408

AS number: AS50033
AS name: GROUP3-AS GROUP 3 LLC.
Subnet: 193.104.94.0/24
Status: Withdrawn
# of ZeuS C&Cs: 8
Spamhaus SBL: #SBL85667

AS number: AS12604
AS name: CITYGAME-AS Kamushnoy Vladimir Vasulyovich
Subnet: 193.104.27.0/24
Status: Withdrawn
# of ZeuS C&Cs: 12
Spamhaus SBL: #SBL81900

In total, 68 went down – It was the biggest drop in number of ZeuS C&C servers I’ve ever seen! Some guys have done a great job :D

*** UPDATE 21:03 (UTC) ***
Bad news – it seem that TROYAK-AS has found a new upstream provider to serve their malware to the world:

AS50215 TROYAK-AS Starchenko Roman Fedorovich

Upstream Adjacent AS list
AS44051 YA-AS Professional Communication Systems

Source: http://cidr-report.org/cgi-bin/as-report?as=AS50215

As you can see on Robtex, YA-AS has just one upstream provider called NASSIST-AS (AS29632). Let’s hope that this is just the last breath of TROYAK-AS and that NASSIST-AS will cut their peerings with YA-AS quickly.

*** STATUS 2010-03-11 07:15 (UTC) ***
I just took another look into the ZeuS Tracker statistics – the number of active ZeuS C&Cs is still falling! In total, I’ve counted 104 ZeuS C&C servers which are no longer reachable from the internet!


ZeuS Tracker statistics as of 2010-03-11

As mentioned on the last update from 21:03 UTC, Troyak just found a new upstream provider. This means: Troyak-AS is reconnected to the internet since yesterday. Anyway, I just checked the those ZeuS C&C servers which where routed by Troyak – all of them are still offline.

*** UPDATE 2010-03-11 11:50 (UTC) ***
It’s a very busy day – Troyak is trying hard to get back online. This morning they disappeared again from the global BGP routing table and are now being routed by RTCOMM-AS (AS8342 RTComm.RU), located in Russia:

AS50215 TROYAK-AS Starchenko Roman Fedorovich

Upstream Adjacent AS list
AS8342 RTCOMM-AS RTComm.RU Autonomous System

*** UPDATE 2010-03-11 21:30 (UTC)
Bad news: Since Troyak started their peering with RTCOM-AS, the number of active ZeuS C&C servers has increasted from 149 up to 191. For now, more than 40 ZeuS C&C servers are back online! This means that the cybercriminals are now able to move the stolen data to a safe place or a backup server. Additionally, the cybercriminals are able to update their config files served to the infected clients to set up a fallback server (if Troyak will disappear from the internet again).

*** UPDATE 2010-03-12 11:10 (UTC) ***
Another update: Troyak has changed their upstream provider again and is now being routed by NLINE-AS (AS25189 – JSC Nline):

AS50215 TROYAK-AS Starchenko Roman Fedorovich

Upstream Adjacent AS list
AS25189 NLINE-AS JSC Nline

Further links

Happy Birthday ZeuS Tracker!

One year ago, on the 2nd of February 2009, ZeuS Tracker was born (Introducing: abuse.ch ZeuS Tracker BETA). Today ZeuS Tracker looks back to a very successful year and I would like to use this event to write some words about ZeuS Tracker.

During the last year, ZeuS Tracker has tracked more then 2’800 malicious ZeuS C&C servers. The ZeuS Tracker has captured more then 360MB ZeuS config files and 330MB binaries.

First of all let me say that the success story of ZeuS Tracker was made possible by you. You, the readers of my blog as well as the contributors of ZeuS Tracker are the heros. Your effort, your avertising by word-of-mouth, your submission of new (unknown) ZeuS C&C servers to ZeuS Tracker, your support, this is what allowed ZeuS Tracker to gain so much attention and success. During this year, I’ve recevied hundreds of emails with constructive feedback, questions and offers by people who wanted to contribute their work. Thank you!

When ZeuS Tracker was started last year, the ZeuS C&C servers which where listed on it were online for dozens of days (and even for months). Today, a year later, there are a lot of CERTs, registrars and ISPs following one of the ZeuS Tracker RSS feeds to quickly take down new ZeuS C&Cs as soon as they get listed on ZeuS Tracker. Nowadays new C&C servers are very often shut down only a few minutes after their appearing on ZeuS Tracker. In this way ZeuS Tracker (and the resoponsible ISPs, Registrars and CERTs) are taking a considerable effort and make the internet a safer place. Special thanks to all the ISPs, Registrars and CERTs around the world which are helping to shut down malicious ZeuS C&C servers quickly!

The ZeuS Tracker project would not be possible without the help of a handful organisations and people which are sharing information and providing ZeuS Tracker a home. So I decided to make a small “Hall of honor” for all of those.

Hall of honor

Time is come to say thank you to all which are supporting ZeuS Tracker. Special thank goes to…

1&1 Internet AG Team Cymru
…for giving ZeuS Tracker a home … for providing the MHR to ZeuS Tracker
isecLAB Ikarus Security Software
…for providing Anubis to ZeuS Tracker … for providing samples to ZeuS Tracker
…for providing samples to ZeuS Tracker

Additionally I would like to thank Malwaredomainlist (MDL) and MalwareURL for their cooperation in sharing malicious ZeuS C&C servers.

During this year I received several queries asking for permission to integrate ZeuS Tracker information into commercial products. This was a very difficult decision for me to make and I considered the pros and cons of this for a considerable time. Finally I decided to allow the commercial use of ZeuS tracker blocklists to a few companies: My intention with ZeuS tracker was always to protect as many internet users as possible from becoming victims of identity theft. The fact that the use of ZeuS Tracker IP and domain blocklist in wide-used security products will decrease the number of victims of identity theft convinced me that this approach comes closest to my intentions. But the ZeuS Tracker information itself will always be provided free to everybody.

I’ve recived a handfull emails concerning a commercial use of the ZeuS Tracker IP- and domain blocklist in security products. So I had to made a leading decission. I’ve to say, that it was really hard for me to decide, but finally I came to the decission that I allow the commercial use of ZeuS Tracker blocklist to a handfull companies. Let me explain you why: my goal was always to protect as much internet users as possible from getting victim of identity theft (This was also the reason why I released ZeuS Tracker Blocklist). I came to this decisioin due to the fact, that the use of ZeuS Tracker IP and domain blocklist in wide-used security products will decrease the number of victims of identity theft.

Below a list of organisation / sites which are using ZeuS Tracker in their services/products:

* Used in their commercial products

As you might have noticed, ZeuS Tracker is now providing the ZeuS Tracker blocklist to SURBL. So every mailserver which is using SURBL in their spamfilter now automatically benefits from ZeuS Tracker domain block list.

Last but not least there are dozens of companies, universities and governmental organisations which are using the ZeuS Tracker blocklist to protect their users.

New Features

During the last few months several new features were added to ZeuS Tracker. Some of them are already public for a few months (but were never announced officially) and others have been finally launched today:
Anubis reports for binaries
The ZeuS Tracker is now providing you a Anubis report (Analyzing Uknown Binaries) for every binary which is in ZeuS Tracker. For those of you who don’t know anubis:

[...] Anubis is a tool for analyzing the behavior of Windows PE-executables with special focus on the analysis of malware. Execution of Anubis results in the generation of a report file that contains enough information to give a human user a very good impression about the purpose and the actions of the analyzed binary. [...]

See anubis.iseclab.org/?action=about

Each binary on ZeuS Tracker has now a link to the associated Anubis report on anubis.iseclab.org. The benefit of the anubis reports is that it shows you several interesting information about the binary. For this purpose Anubis executes the binary in an emulated enviroment and traces the changes which the binary made to the computer. For example this include the changes made to the file system and windows registry as well as recording the network activities which the binaries makes while and after its execution.

Responsible Nameservers
I’ve added a namserver lookup functionality to the ZeuS Tracker cron script which now looks up the responsible nameservers of the ZeuS C&C domains which are listed in ZeuS Tracker (of course that’s just used for the ZeuS domains and not the IP addresses).

If you click on a domain which is on ZeuS Tracker it displays automatically the responsible nameserver. The text is a hyperlink, so when you click on it you will get a list of ZeuS C&C domains which are using the same nameserver(s). There is also a interessting break down of the top twenty nameservers used by ZeuS C&C servers on the ZeuS Tracker statistic page.

The goal of this new features is to provide the ISPs, CERTs and LEs (law enforcement) a better overview to the current hot spots. Additionally a nameserver-provider can now easily get a list of malicious ZeuS domains which he is responsible for and can take action agains the threat.

Sponsoring Registrar
Additionally to the nameserver lookup function the ZeuS Tracker cron script now also looks up the sponsoring domain registrar of a ZeuS C&C domain. Unfortunately it’s not as easy to get the sponsoring registrar of a domain. Therefore this feature is not available for all domains which are listed in ZeuS Tracker (approximately only 70%-80% of the domains which are on ZeuS Tracker currently are showing up the sponsoring domain registrar).

If you click on a domain which is on ZeuS Tracker it displays automatically the sponsoring registrars. The sponsoring registrar is a hyperlink, so when you click on it you will get a list of ZeuS domains which are also registered thru the same sponsoring registrar. There is also a interessting break down of the top ten sponsoring registrars on the ZeuS Tracker statistic page.

The benefit of this features is the same as for the responsible nameservers: Providing a collection of information for the responsible ISPs and CERTs as well as for the LEs (law enforcement).

NEW! ZeuS Tracker DNS Service (ZTDNS)
Another new feature is the ZeuS Tracker DNS Service (ZTDNS). First of all: What you definitly should NOT do is to use ZeuS Tracker DNS Service at a Email gateway. The service has been designed to be used by security experts and IT professionals to look up a domain on ZeuS Tracker quickly and NOT for mail cleaning.

The service works similar to a normal DNS blackhole list (DNSBL): You can check an IP address or a Domain name against the ZeuS Tracker DNS Service. If the IP address/domain is listed on ZeuS Tracker, you will get a positive response from the DNS daemon. You can request an A or TXT record. There are two DNS zones available:

  • ipbl.zeustracker.abuse.ch (used to check a IP address against the ZT IP blocklist)
  • uribl.zeustracker.abuse.ch (used to check a domain name against the ZT URL blocklist)

Requesting the A record will just return you the information whether a IP/domain is listed on ZeuS Tracker or not while the TXT record shows up more information like SBL status, country code, AS number etc.

Before you’re going to start using ZeuS Tracker DNS Service please be sure that you read the ZTDNS page.

Domain history
I’ve been asked for a domain history. Here it is: With the new domain-history feature it is now possible to take a look at the history of a ZeuS domain listed on ZeuS Tracker. It shows up the latest IPs that have hosted the domain before. This additional information can be quite interessting.

NEW! Binary & Config-file history
Additionally to the domain history feature I’ve added a history-function for the binaries and config files on ZeuS Tracker. When the MD5 of a binary or a config file changes it will be archived and added to the binary- or config-history. So you are now able to see how often a binary or config file on a specified ZeuS C&C rotates and if the file was already seen on other ZeuS C&Cs before.

Changelog

Beside the new features some minor changes were made to ZeuS Tracker:

  • You can now sort the ZT monitor page by lastupdated
  • I’ve revised ZT’s statistic page. There are now some nice graphics which shows you some interesting statistics about the ZeuS crimeware
  • A handful small changes on the ZeuS Tracker startpage
  • You can download all ZeuS configs or binaries packed in a zip file (see FAQ)

TODOs

Well there are still a few things left to do on ZeuS Tracker:

  • Creating a RSS feed for domain registrars
  • Creating a RSS feed for nameservers

Certainly, if you have some good ideas or feature requests don’t hesitate to drop me a line (contact form).




economics-recluse
Scene
Urgent!