ZeuS Tracker :: ZeuS blocklist

ZeuS Tracker offers various IP- and domain-blocklists that contains known ZeuS Command&Control server (C&C) assocaited with the ZeuS crimeware. ZeuS Tracker offers blocklists in various formats and for different purposes which are described below.

ZeuS Tracker recommends the following two blocklists (recommended blocklists):

ZeuS domain blocklist (BadDomains)

If you want to block domain names used by the ZeuS trojan, you should use this list. The ZeuS domain blocklist (BadDomains) is the recommended blocklist if you want to block only ZeuS domain names. It excludes domain names that ZeuS Tracker believes to be hijacked (level 2). Hence the false positive rate should be much lower compared to the standard ZeuS domain blocklist (see below).

download download ZeuS domain blocklist (BadDomains)

ZeuS IP blocklist (BadIPs)

This blocklists only includes IPv4 addresses that are used by the ZeuS trojan. It is the recommened blocklist if you want to block only ZeuS IPs. It excludes IP addresses that ZeuS Tracker believes to be hijacked (level 2) or belong to a free web hosting provider (level 3). Hence the false postive rate should be much lower compared to the standard ZeuS IP blocklist (see below).

download download ZeuS IP blocklist (BadIPs)

If you are looking for something specific you might want to check out the extended blocklists:

ZeuS domain blocklist (Standard)

This blocklist contains the same data as the ZeuS domain blocklist (BadDomains) but with the slight difference that it doesn't exclude hijacked websites (level 2). This means that this blocklist contains all domain names associated with ZeuS C&Cs which are currently being tracked by ZeuS Tracker. Hence this blocklist will likely cause some false positives.

download download ZeuS domain blocklist

ZeuS IP blocklist (Standard)

This blocklist contains the same data as the ZeuS IP blocklist (BadIPs) but with the slight difference that it doesn't exclude hijacked websites (level 2) and free web hosting providers (level 3). This means that this blocklist contains all IPv4 addresses associated with ZeuS C&Cswhich are currently being tracked by ZeuS Tracker. Hence this blocklist will likely cause some false positives.

download download ZeuS IP blocklist

ZeuS compromised URL blocklist

This blocklist only contains compromised / hijacked websites (level 2) which are being abused by cybercriminals to host a ZeuS botnet controller. Since blocking the FQDN or IP address of compromised host would cause a lot of false positives, the ZeuS compromised URL blocklist contains the full URL to the ZeuS config, dropzone or malware binary instead of the FQDN / IP address.

download download ZeuS compromised URL blocklist

ZeuS blocklist for Squid

ZeuS Tracker also offers a ZeuS blocklist for Squid. The blocklist is a text file in the Squid format and can be used to block well known ZeuS C&Cs using the Squid webproxy. To implement this blocklist on your Squid proxy, you need to add the following two lines to your Squid configuration (usually located at /etc/squid/squid.conf or for newer Squid versions /etc/squid3/squid.conf):

acl zeustrackerdomain dstdomain "/etc/squid/zeus_squiddomain.acl"
acl zeustrackerip dst "/etc/squid/zeus_squidip.acl"

Afterwards you will need to tell Squid to block all traffic to these two ACL rules. You can do that by adding the following two lines in to your Squid configuration file. Please note that it is essential that you put those two lines in the correct place in your Squid configuration. If you are unsure where you have to put those two lines, please add them above http_access deny all:

http_access deny zeustrackerdomain
http_access deny zeustrackerip

You will need to download the ZeuS Tracker IP and domain blocklist in the squid format to /etc/squid/ using these two hyperlinks:

download download ZeuS domain blocklist for Squid

download download ZeuS IP blocklist for Squid

You can check if your new Squid configuration is correct and the two blocklists are readable by Squid using the command sudo squid -k parse. If the command doesn't report any errors you can now restart Squid to reload the Squid configuration (sudo /etc/init.d/squid restart). Squid should now block any traffic towards ZeuS C&C servers that are tracked by ZeuS Tracker.

ZeuS Tracker Snort Rules

ZeuS Tracker also offers a Snort rule file. Snort is an Open Source Intrusion Detection System (IDS) used to detect bad / malicious traffic in your network. You can simply download and add the ZeuS Tracker rule file to your Snort configuration and you should be ready to go.

download download abuse.ch ZeuS Rule file for Snort

ZeuS IP blocklist for iptables

The IP blocklist for iptables includes all ZeuS IPs. The blocklist is a bash script which will add a DROP rule to your iptables to drop traffic to well known ZeuS C&Cs:

download download ZeuS IP blocklist for iptables

ZeuS domain blocklist for Windows (Hosts-File)

The domain blocklist for Windows includes all ZeuS domains. The blocklist is a text file in the Windows Host-file format which points the ZeuS domains to localhost (127.0.0.1):

download download ZeuS domain blocklist for Windows (Hostfile)

ZeuS combined blocklist for unix (hosts.deny)

The combined blocklist for unix can by copied to /etc/hosts.deny to block bad traffic from/to ZeuS C&C servers:

download download ZeuS combined blocklist for Unix (Hosts.deny)

Downloading IP- and domain blocklist via HTTP

If you have troubles with downloading the blocklist via HTTPS you can also use the HTTP download. These are the standard blocklists which might cause some false positives.

download download ZeuS domain blocklist using HTTP

download download ZeuS IP blocklist using HTTP