One year ago, on the 2nd of February 2009, ZeuS Tracker was born (Introducing: abuse.ch ZeuS Tracker BETA). Today ZeuS Tracker looks back to a very successful year and I would like to use this event to write some words about ZeuS Tracker.
During the last year, ZeuS Tracker has tracked more then 2’800 malicious ZeuS C&C servers. The ZeuS Tracker has captured more then 360MB ZeuS config files and 330MB binaries.
First of all let me say that the success story of ZeuS Tracker was made possible by you. You, the readers of my blog as well as the contributors of ZeuS Tracker are the heros. Your effort, your avertising by word-of-mouth, your submission of new (unknown) ZeuS C&C servers to ZeuS Tracker, your support, this is what allowed ZeuS Tracker to gain so much attention and success. During this year, I’ve recevied hundreds of emails with constructive feedback, questions and offers by people who wanted to contribute their work. Thank you!
When ZeuS Tracker was started last year, the ZeuS C&C servers which where listed on it were online for dozens of days (and even for months). Today, a year later, there are a lot of CERTs, registrars and ISPs following one of the ZeuS Tracker RSS feeds to quickly take down new ZeuS C&Cs as soon as they get listed on ZeuS Tracker. Nowadays new C&C servers are very often shut down only a few minutes after their appearing on ZeuS Tracker. In this way ZeuS Tracker (and the resoponsible ISPs, Registrars and CERTs) are taking a considerable effort and make the internet a safer place. Special thanks to all the ISPs, Registrars and CERTs around the world which are helping to shut down malicious ZeuS C&C servers quickly!
The ZeuS Tracker project would not be possible without the help of a handful organisations and people which are sharing information and providing ZeuS Tracker a home. So I decided to make a small “Hall of honor” for all of those.
Hall of honor
Time is come to say thank you to all which are supporting ZeuS Tracker. Special thank goes to…
|…for giving ZeuS Tracker a home
||… for providing the MHR to ZeuS Tracker
|…for providing Anubis to ZeuS Tracker
||… for providing samples to ZeuS Tracker
|…for providing samples to ZeuS Tracker
Additionally I would like to thank Malwaredomainlist (MDL) and MalwareURL for their cooperation in sharing malicious ZeuS C&C servers.
During this year I received several queries asking for permission to integrate ZeuS Tracker information into commercial products. This was a very difficult decision for me to make and I considered the pros and cons of this for a considerable time. Finally I decided to allow the commercial use of ZeuS tracker blocklists to a few companies: My intention with ZeuS tracker was always to protect as many internet users as possible from becoming victims of identity theft. The fact that the use of ZeuS Tracker IP and domain blocklist in wide-used security products will decrease the number of victims of identity theft convinced me that this approach comes closest to my intentions. But the ZeuS Tracker information itself will always be provided free to everybody.
I’ve recived a handfull emails concerning a commercial use of the ZeuS Tracker IP- and domain blocklist in security products. So I had to made a leading decission. I’ve to say, that it was really hard for me to decide, but finally I came to the decission that I allow the commercial use of ZeuS Tracker blocklist to a handfull companies. Let me explain you why: my goal was always to protect as much internet users as possible from getting victim of identity theft (This was also the reason why I released ZeuS Tracker Blocklist). I came to this decisioin due to the fact, that the use of ZeuS Tracker IP and domain blocklist in wide-used security products will decrease the number of victims of identity theft.
Below a list of organisation / sites which are using ZeuS Tracker in their services/products:
* Used in their commercial products
As you might have noticed, ZeuS Tracker is now providing the ZeuS Tracker blocklist to SURBL. So every mailserver which is using SURBL in their spamfilter now automatically benefits from ZeuS Tracker domain block list.
Last but not least there are dozens of companies, universities and governmental organisations which are using the ZeuS Tracker blocklist to protect their users.
During the last few months several new features were added to ZeuS Tracker. Some of them are already public for a few months (but were never announced officially) and others have been finally launched today:
Anubis reports for binaries
The ZeuS Tracker is now providing you a Anubis report (Analyzing Uknown Binaries) for every binary which is in ZeuS Tracker. For those of you who don’t know anubis:
[…] Anubis is a tool for analyzing the behavior of Windows PE-executables with special focus on the analysis of malware. Execution of Anubis results in the generation of a report file that contains enough information to give a human user a very good impression about the purpose and the actions of the analyzed binary. […]
Each binary on ZeuS Tracker has now a link to the associated Anubis report on anubis.iseclab.org. The benefit of the anubis reports is that it shows you several interesting information about the binary. For this purpose Anubis executes the binary in an emulated enviroment and traces the changes which the binary made to the computer. For example this include the changes made to the file system and windows registry as well as recording the network activities which the binaries makes while and after its execution.
I’ve added a namserver lookup functionality to the ZeuS Tracker cron script which now looks up the responsible nameservers of the ZeuS C&C domains which are listed in ZeuS Tracker (of course that’s just used for the ZeuS domains and not the IP addresses).
If you click on a domain which is on ZeuS Tracker it displays automatically the responsible nameserver. The text is a hyperlink, so when you click on it you will get a list of ZeuS C&C domains which are using the same nameserver(s). There is also a interessting break down of the top twenty nameservers used by ZeuS C&C servers on the ZeuS Tracker statistic page.
The goal of this new features is to provide the ISPs, CERTs and LEs (law enforcement) a better overview to the current hot spots. Additionally a nameserver-provider can now easily get a list of malicious ZeuS domains which he is responsible for and can take action agains the threat.
Additionally to the nameserver lookup function the ZeuS Tracker cron script now also looks up the sponsoring domain registrar of a ZeuS C&C domain. Unfortunately it’s not as easy to get the sponsoring registrar of a domain. Therefore this feature is not available for all domains which are listed in ZeuS Tracker (approximately only 70%-80% of the domains which are on ZeuS Tracker currently are showing up the sponsoring domain registrar).
If you click on a domain which is on ZeuS Tracker it displays automatically the sponsoring registrars. The sponsoring registrar is a hyperlink, so when you click on it you will get a list of ZeuS domains which are also registered thru the same sponsoring registrar. There is also a interessting break down of the top ten sponsoring registrars on the ZeuS Tracker statistic page.
The benefit of this features is the same as for the responsible nameservers: Providing a collection of information for the responsible ISPs and CERTs as well as for the LEs (law enforcement).
NEW! ZeuS Tracker DNS Service (ZTDNS)
Another new feature is the ZeuS Tracker DNS Service (ZTDNS). First of all: What you definitly should NOT do is to use ZeuS Tracker DNS Service at a Email gateway. The service has been designed to be used by security experts and IT professionals to look up a domain on ZeuS Tracker quickly and NOT for mail cleaning.
The service works similar to a normal DNS blackhole list (DNSBL): You can check an IP address or a Domain name against the ZeuS Tracker DNS Service. If the IP address/domain is listed on ZeuS Tracker, you will get a positive response from the DNS daemon. You can request an A or TXT record. There are two DNS zones available:
- ipbl.zeustracker.abuse.ch (used to check a IP address against the ZT IP blocklist)
- uribl.zeustracker.abuse.ch (used to check a domain name against the ZT URL blocklist)
Requesting the A record will just return you the information whether a IP/domain is listed on ZeuS Tracker or not while the TXT record shows up more information like SBL status, country code, AS number etc.
Before you’re going to start using ZeuS Tracker DNS Service please be sure that you read the ZTDNS page.
I’ve been asked for a domain history. Here it is: With the new domain-history feature it is now possible to take a look at the history of a ZeuS domain listed on ZeuS Tracker. It shows up the latest IPs that have hosted the domain before. This additional information can be quite interessting.
NEW! Binary & Config-file history
Additionally to the domain history feature I’ve added a history-function for the binaries and config files on ZeuS Tracker. When the MD5 of a binary or a config file changes it will be archived and added to the binary- or config-history. So you are now able to see how often a binary or config file on a specified ZeuS C&C rotates and if the file was already seen on other ZeuS C&Cs before.
Beside the new features some minor changes were made to ZeuS Tracker:
- You can now sort the ZT monitor page by lastupdated
- I’ve revised ZT’s statistic page. There are now some nice graphics which shows you some interesting statistics about the ZeuS crimeware
- A handful small changes on the ZeuS Tracker startpage
- You can download all ZeuS configs or binaries packed in a zip file (see FAQ)
Well there are still a few things left to do on ZeuS Tracker:
- Creating a RSS feed for domain registrars
- Creating a RSS feed for nameservers
Certainly, if you have some good ideas or feature requests don’t hesitate to drop me a line (contact form).