Today The Spamhaus Project, a well known non-profit organisation fighting cybercrime in the internet, released a new list called “Spamhaus Botnet C&C List” (BGPCC) which is implemented at the router level using the Border Gateway Protocol (BGP). I’m proud to announce that the newly launched list also contains data provided by ZeuS Tracker and SpyEye Tracker.
The list is described on Spamhaus website as follow:
The Spamhaus Botnet Command and Control (C&C) list is an advisory “drop all traffic” list consisting of single IPv4 addresses. The feed does not contain any subnets or CIDR prefixes longer than /32. The servers on these IP addresses host botnet C&C nodes. Botnet C&C nodes are servers that control the individual malware-infected computers (bots) that together form a botnet. Bots regularly contact botnet C&C nodes so that the malware on the bots can transfer stolen data to the C&C node for delivery to the botnet’s owner, and to obtain instructions for what they are to do next. Once a botnet contacts a C&C node, it receives instructions to send spam, host spammed web sites, attack other hosts on the internet, and provide name service (DNS) for the domains used in those attacks.
As soon as ZeuS- or SpyEye Tracker identifies a new botnet C&C, information will be sent to Spamhaus automatically which will result in a listing on Spamhaus Botnet C&C list within a few minutes. In fact this means that networks using this list are protected from malicious botnet traffic from/to botnet controllers listed on ZeuS- or SpyEye Tracker automatically and without any delay.
By providing Tracker data to Spamhaus, abuse.ch continues its fight against cybercrime and bad actors on the internet.
If you are an ISP or network provider you might want to have a look at the Spamhaus BGP feed.
*** Further reading ***
It’s now more than one and a half year ago, when I’ve published ZeuS Tracker.
During the last few weeks SpyEye (a Crimeware kit like ZeuS) has obtained a lot of media attention. In October 2010 it came out that ZeuS merges with SpyEye. There has been a lot of speculations on this topic and it looks like that after the recent ZeuS arrests (see link one / link two) it got to hot for the author of the ZeuS Crimeware so he decided to stop developing and selling the ZeuS Crimeware Kit. Additionally the ZeuS Author has passed the source code of the ZeuS Trojan over to the SpyEye author.
So what does that mean for the Security Community? Personally I think there are two scenarios:
- SpyEye will become the new super banking trojan
- Even if ZeuS is dead it will stay as a rival of SpyEye and the cybercriminals won’t stop using it as long as ZeuS works well
From what I’ve seen and heard during the past days I think most likely ZeuS will stay at the top of the most used Crimeware kits aswell as stay as a rival of SpyEye. But that doesn’t matter anyway: To stay on the secure side I’ve decided to do some effort that SpyEye will not get the next ‘ZeuS’ Trojan. My goal is to put SpyEye into the spotlight before it becomes a ‘big’ threat like ZeuS was in the past (in the bloom time ZeuS Tracker has tracked over 200 active ZeuS C&Cs). To reach this goal I’ve developed another tracking system for ISPs, CERTs and law enforcement. Introducing: SpyEye Tracker.
*** Some words about SpyEye Tracker ***
There isn’t a really big difference between SpyEye Tracker and ZeuS Tracker. As a side note please let me mention that not all features which are available on ZeuS Tracker are yet implemented on SpyEye Tracker at this time. I will try to fix the missing features during the next few weeks.
What is new on SpyEye Tracker is the news section where I’ve planned to publish a new post whenever I make a change to the SpyEye Tracker.
If you have any question please don’t hesitate to drop me a line using the contact form.
You can also follow abuse.ch on Twitter: twitter.com/abuse_ch
*** Further links ***