Tag Archives: ZeuS Tracker

New features on the ZeuS Tracker

The last few days I made several improvements to the abuse.ch ZeuS Tracker. First of all I have removed more than 300 ZeuS hosts which are no longer reachable (eg. because the domain has been suspended or deleted etc). So if you are using the ZeuS Blocklist please download the updated blocklist (link). You can get a look at the removed ZeuS hosts on the removal list.

New features

  • I have added a AV detection rate for each binary which is in the Tracker. Special thanks to Team Cymru which is providing the Malware Hash Registry (MHR) to the ZeuS Tracker!
  • There is now a column on the monitor page which shows how many files on a ZeuS hosts are currently online. This feature was requested by various CERTs and ISPs – thanks for your feedback! (link)
  • The removal list now contains archived binaries and configs (link)
  • There is now a page which lists all ZeuS Tracker RSS feeds which are available (link)
  • I’ve added a new filter for the ZeuS Tracker monitor called “ZeuS hosts with files online”. If you click on this filter you will see only ZeuS hosts which have at least one file online (link)
  • You have now the possibility to download ALL ZeuS binaries which are currently in the Tracker. For this purpose I’ve created a cronjob which export all ZeuS binaries on 01:00 UTC into a ZIP-file. For security reasons I won’t post the link here. You can find the link on the FAQ page


  • I’ve synchronized the color for the column SBL, status and files online. ZeuS hosts which are offline will now be colored green (and not red)
  • I’ve added a statistical breakdown of the AV detection rate on the bottom of the statistic page (link)
  • I’ve made some changes on the site layout
  • The ZeuS Tracker is no longer BETA

The ZeuS Tracker is searching a new location

Maybe you already noticed that the server which is hosting the ZeuS Tracker and abuse.ch has often connection issues and is not reachable. This is caused by DDoS- and SYN-Flood attacks from various sources agains the Webserver. Unfortunately I’ve only limited ressources to mitigate such attacks at the current server location so I have decided to search a new location for the ZeuS Tracker and abuse.ch. If you have the possibility to spend a server in your network please contact me using the contact form.

Have fun with the new features of the ZeuS Tracker! 🙂

Some ZeuS statistics

A week ago, I’ve published the abuse.ch ZeuS Tracker. Now I decided to post some statistical data about the ZeuS hosts.

First of all, let’s take a look at the worst ISPs, which are currently hosting ZeuS Command&Control servers:

ZeuS host count AS number AS name
17 44997 BTG route block
14 16265 LEASEWEB AS
13 44097 Sistemnet Telekomunikasyon

It’s quit interessting to see AS44997 (BTG12-AS BTG route block) at the top of the worst ISPs. For those of you which are reading my blog frequently: You now that ASN very-well from my previous posts. For all others: AS44997 was formerly known as UATelecom. The ISP is now known as Ural Industrial Company (Ural-NET) and is located in Russia. Different name but the same dirty business as before:


Source: ZeuS Tracker :: AS44997

A part of Ural Industrial Company subnet is also listed on Spamhaus’s Don’t Route Or Peer (DROP) list: ; SBL70438
Source: www.spamhaus.org/drop/drop.lasso

Ref: SBL70438 is listed on the Spamhaus Block List (SBL)
15-Feb-2009 21:53 GMT | SR04
Cybercrime & spam hosting hub; Ural Industrial Company
Source: Spamhaus SBL70438

Another suspicious ISP is Leasweb, which is located in the Netherlands. When we look at Spamhaus SBL, we see more supicious activities in Leasweb’s Network:

Found 8 SBL listings for IPs under the responsibility of leaseweb.com
See www.spamhaus.org/sbl/listings.lasso?isp=leaseweb.com

The next ISP is Sistemnet Telekomunikasyon which is located in Turkey. I’ve already seen a lot of phishing sites, C&Cs and dropzones there. Shortly, It’s even worst than Ural-NET. Just take a look onto the SBLs concerning Sistemnet Telekomunikasyon:

Found 50 SBL listings for IPs under the responsibility of sistemnet.com.tr
See www.spamhaus.org/sbl/listings.lasso?isp=sistemnet.com.tr

Wow, there are currently 50 SBL listings concerning that ISP! So just another dirty ISP…

Now let’s take a look into the top ten ZeuS hosting countries:

# of ZeuS hosts country
47 Russian Federation
41 United States
23 China
19 Netherlands
12 Ukraine
11 Turkey

Just without a comment.

If you want to see the whole statistic you can take a look on it on the ZeuS Tracker statistic page (link).

Improvements made to the ZeuS Tracker

Last but not least I have made some improvements to the ZeuS Tracker:

Country RSS feed available
I’ve received some requests from various CERTs concerning a country RSS Feed for new ZeuS hosts. So I’ve decided to create one. You can find it on the country page (eg. https://zeustracker.abuse.ch/monitor.php?country=HK). On the country page, just click on “Subscribe this country via RSS feed” and you will get informed about new ZeuS hosts in the specified country.

Browse ZeuS binaries
There is now a Browse ZeuS binaries function on the monitor page. With this function you can browse all ZeuS binaries which are stored in the ZeuS Tracker database (link).

Browse ZeuS configs
Additionally there is also a Browse ZeuS configs function on the monitor page. With this function you can browse all ZeuS configs which are stored in the ZeuS Tracker database (link).

Have fun!