Everybody loves the ZeuS Tracker – even the bad guys…
Today a friend over PhishLabs contacted me regarding a Fake-AV software (also known as “Rogue Antivirus” or “Scareware”) which obviously uses the ZeuS Tracker to get a good reputation and to promote the product. The software is called Shield EC and is being sold thru the website www.[dot]shieldec[dot]com:
When you read the first sentence on their website you will be pretty surprised:
Shield EC is a result of two-year research and close collaboration of programmers and analysts from Martindale Enterprises LTD and Zeus Tracker, the main center for ZeuS epidemic prevention.
… and in the “About the company” section:
The major achievements of the company count a joint development with ZeuS Tracker of a unique anti virus Shield EC, targeted at fighting banking Zbot (ZeuS) Trojan.
The cybercriminals are using two domain names to spread their rogue security software:
The two mentioned domain names are hosted on the Avalanche FastFlux botnet which is also being used for a long time to host malicious ZeuS C&C servers:Reference: abuse.ch FastFlux Tracker
There is a list of ZeuS C&C domain names hosted on the Avalanche FastFlux botnet available on the ZeuS Tracker:Reference: List of ZeuS domains hosted on Avalanch FastFlux botnet
Of course the ZeuS Tracker would never cooperate with any criminal organization. The promoted software is 100% rogue so please stay away from it!
A month ago, the well-known bulletproof hoster Troyak was cut from the internet (read more). Troyak tried hard to get reconnected to the internet – But the disconnect of Troyak made a lot of noise in the international press which led to that Troyak was not able to stay connected with the World Wide Web.
But maybe you wonder why the number of active ZeuS C&Cs still dropped after the Troyak shutdown. Let me clear this: After the shutdown of troyak, several other ISPs which went a platform for cybercriminals for month got obviously under massiv pressure from their upstream providers. Many of those ISPs contacted me during the last few weeks and made a clear statement that they no longer tolerate any cybercriminals in their networks.
The good news first:
Today, a month after the Troyak shutdown, the number of active C&C servers is still on a very low level. We are now at a point where ZeuS C&C servers get offline just a few minutes after they appears on the ZeuS Tracker.
And now the bad news:
During the last few days I just noticed that more and more ZeuS C&C servers popping up which are hosted on a FastFlux botnet. To be precise: It’s not new that cybercriminals are hosting the infections binaries (used to infect their vicitims) on FastFlux botnets. Even more it’s pretty new to me that the cybercrmininals are hosting their Command&Control servers (the servers which are hosting the dropzone) are also FastFlux hosted. For example:
To go along with this ‘new’ trend I decided to add a new ‘level’ to the ZeuS Tracker:
Description: Hosted on a FastFlux botnet
Whenever you see a ZeuS C&C server which is FastFlux hosted on the ZT, the ZeuS Tracker will now provide you additional information:
As you can see above, the ZeuS Tracker shows up the assigned bots (IP addresses) as well as their status on Spamhaus’s XBL. Additionally the time to live (TTL) of the A record will be displayed (on FastFlux hosted domains mostly between 180 and 1800 seconds).
To get a list of ZeuS domains which are currenlty hosted on a FastFlux botnet you can just set a filter for “level 5” tagged domains on the ZeuS Tracker:
Currently there are just 9 domains hosted on a FastFlux botnet. But let’s see how many ZeuS C&Cs will move over to FastFlux hosting during the next few month.