ZeuS: Cybercriminals moving over to FastFlux Hosting

A month ago, the well-known bulletproof hoster Troyak was cut from the internet (read more). Troyak tried hard to get reconnected to the internet – But the disconnect of Troyak made a lot of noise in the international press which led to that Troyak was not able to stay connected with the World Wide Web.

But maybe you wonder why the number of active ZeuS C&Cs still dropped after the Troyak shutdown. Let me clear this: After the shutdown of troyak, several other ISPs which went a platform for cybercriminals for month got obviously under massiv pressure from their upstream providers. Many of those ISPs contacted me during the last few weeks and made a clear statement that they no longer tolerate any cybercriminals in their networks.

The good news first:
Today, a month after the Troyak shutdown, the number of active C&C servers is still on a very low level. We are now at a point where ZeuS C&C servers get offline just a few minutes after they appears on the ZeuS Tracker.

And now the bad news:
During the last few days I just noticed that more and more ZeuS C&C servers popping up which are hosted on a FastFlux botnet. To be precise: It’s not new that cybercriminals are hosting the infections binaries (used to infect their vicitims) on FastFlux botnets. Even more it’s pretty new to me that the cybercrmininals are hosting their Command&Control servers (the servers which are hosting the dropzone) are also FastFlux hosted. For example:

To go along with this ‘new’ trend I decided to add a new ‘level’ to the ZeuS Tracker:

Level: 5
Description: Hosted on a FastFlux botnet
Color: Blue

Whenever you see a ZeuS C&C server which is FastFlux hosted on the ZT, the ZeuS Tracker will now provide you additional information:

As you can see above, the ZeuS Tracker shows up the assigned bots (IP addresses) as well as their status on Spamhaus’s XBL. Additionally the time to live (TTL) of the A record will be displayed (on FastFlux hosted domains mostly between 180 and 1800 seconds).

To get a list of ZeuS domains which are currenlty hosted on a FastFlux botnet you can just set a filter for “level 5” tagged domains on the ZeuS Tracker:

Currently there are just 9 domains hosted on a FastFlux botnet. But let’s see how many ZeuS C&Cs will move over to FastFlux hosting during the next few month.

Leave a Reply

Your email address will not be published. Required fields are marked *