Blog

Zeus takeover leaves undead remains

Some of you may be aware that Microsoft this week went after a group of botnets. These botnets were created from the famous Zeus toolkit. This effort was part of so called Operation B-71.

When I heard this news, the first thing I wanted to find out was if these botnets have been on FireEye's radar. The answer is yes. Based on data collected from the FireEye MPC (Malware Protection Cloud), we have been detecting and protecting our customers from most of these malware. 

There was one thing that caught my attention during this investigation. One botnet was able to partially recover  from the takeover attempt. This particular zeus variant is known for rapidly changing its CnCs.



Recently, this botnet has been seen communicating like this:

POST /config.php HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

Pragma: no-cache

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Host: stockli.us

Content-Length: 56

Since Jan 2012 we observed around 156 different CnC domains actively used by this botnet. As part of Operation B-71 Microsoft took over most of these CnCs.

Here is the status of these CnC domains at the time of writing this article on March, 29 2012.

Zeus_CnCs

Active/alive domains = 3
Domain and IP both are alive and zombies are getting commands. List: isdfsrttyqza.c0m.li, mylemain.com and stockli.us
Dead  domains = 2
There are two domains which are no longer resolving to any IP address.
List: updater.vpsq.net and zkhfwie2.com
Abandoned domains = 4
These domains are resolving to an active A address but CnC componet is no longer active.
List: 9iy.ru, ecommerceone.ru, enroll.hess.com and reflectivelayer.com.
Domains under the MS Control = 147
These domains are sinkholed and are pointing to two MS owned IP addresses 199.2.137.141 and
207.46.90.178.

List: achyroransib.co, achyroransib.com, amersterin.co, amersterin.com, ........
.
.

Active_cncs

 

I am not sure why the MS Digital Crime Unit has not been able to sinkhole all the CnC domains. Their main concern should be the three active domains. Without these domains completely destroyed, this botnet can not be officially declared as dead.

I hope MS will take over these leftover domains soon in order to put that last nail in the coffin.

3 active/alive domains:

Domain and IP both are alive and zombies are getting commands.

List: isdfsrttyqza.c0m.li, mylemain.com and stockli.us


2 Dead  domains:
There are two domains which are no longer resolving to any IP address.
List: updater.vpsq.net and zkhfwie2.com


4 abandoned domains:
These domains are resolving to an active A address but CnC componet is not active.

List: 9iy.ru, ecommerceone.ru, enroll.hess.com and reflectivelayer.com.


147 domains under the MS Control:
 
Domains sinkholed and are pointing to two MS owned IP addresses 199.2.137.141 and 207.46.90.178.

List: achyroransib.co, achyroransib.com, amersterin.co, amersterin.com.
.
.

2 thoughts on “Zeus takeover leaves undead remains

  1. I think it’s awesome that Microsoft has taken such a hard line against botnets. It seems like something that should be in the hands of the government, but they’ll never get going on it. Good on Microsoft for taking the initiative.

Comments are closed.