ZeuS Tracker offers various IP- and domain-blocklists that contains known ZeuS Command&Control server (C&C) assocaited with the ZeuS crimeware. ZeuS Tracker offers blocklists in various formats and for different purposes which are described below.
ZeuS Tracker recommends the following two blocklists (recommended blocklists):
If you want to block domain names used by the ZeuS trojan, you should use this list. The ZeuS domain blocklist (BadDomains) is the recommended blocklist if you want to block only ZeuS domain names. It excludes domain names that ZeuS Tracker believes to be hijacked (level 2). Hence the false positive rate should be much lower compared to the standard ZeuS domain blocklist (see below).
This blocklists only includes IPv4 addresses that are used by the ZeuS trojan. It is the recommened blocklist if you want to block only ZeuS IPs. It excludes IP addresses that ZeuS Tracker believes to be hijacked (level 2) or belong to a free web hosting provider (level 3). Hence the false postive rate should be much lower compared to the standard ZeuS IP blocklist (see below).
If you are looking for something specific you might want to check out the extended blocklists:
This blocklist contains the same data as the ZeuS domain blocklist (BadDomains) but with the slight difference that it doesn't exclude hijacked websites (level 2). This means that this blocklist contains all domain names associated with ZeuS C&Cs which are currently being tracked by ZeuS Tracker. Hence this blocklist will likely cause some false positives.
This blocklist contains the same data as the ZeuS IP blocklist (BadIPs) but with the slight difference that it doesn't exclude hijacked websites (level 2) and free web hosting providers (level 3). This means that this blocklist contains all IPv4 addresses associated with ZeuS C&Cswhich are currently being tracked by ZeuS Tracker. Hence this blocklist will likely cause some false positives.
This blocklist only contains compromised / hijacked websites (level 2) which are being abused by cybercriminals to host a ZeuS botnet controller. Since blocking the FQDN or IP address of compromised host would cause a lot of false positives, the ZeuS compromised URL blocklist contains the full URL to the ZeuS config, dropzone or malware binary instead of the FQDN / IP address.
ZeuS Tracker also offers a ZeuS blocklist for Squid. The blocklist is a text file in the Squid format and can be used to block well known ZeuS C&Cs using the Squid webproxy. To implement this blocklist on your Squid proxy, you need to add the following two lines to your Squid configuration (usually located at /etc/squid/squid.conf or for newer Squid versions /etc/squid3/squid.conf):
acl zeustrackerdomain dstdomain "/etc/squid/zeus_squiddomain.acl"
acl zeustrackerip dst "/etc/squid/zeus_squidip.acl"
Afterwards you will need to tell Squid to block all traffic to these two ACL rules. You can do that by adding the following two lines in to your Squid configuration file. Please note that it is essential that you put those two lines in the correct place in your Squid configuration. If you are unsure where you have to put those two lines, please add them above http_access deny all:
http_access deny zeustrackerdomain
http_access deny zeustrackerip
You will need to download the ZeuS Tracker IP and domain blocklist in the squid format to /etc/squid/ using these two hyperlinks:
You can check if your new Squid configuration is correct and the two blocklists are readable by Squid using the command sudo squid -k parse. If the command doesn't report any errors you can now restart Squid to reload the Squid configuration (sudo /etc/init.d/squid restart). Squid should now block any traffic towards ZeuS C&C servers that are tracked by ZeuS Tracker.
ZeuS Tracker also offers a Snort rule file. Snort is an Open Source Intrusion Detection System (IDS) used to detect bad / malicious traffic in your network. You can simply download and add the ZeuS Tracker rule file to your Snort configuration and you should be ready to go.
The IP blocklist for iptables includes all ZeuS IPs. The blocklist is a bash script which will add a DROP rule to your iptables to drop traffic to well known ZeuS C&Cs:
The domain blocklist for Windows includes all ZeuS domains. The blocklist is a text file in the Windows Host-file format which points the ZeuS domains to localhost (127.0.0.1):
The combined blocklist for unix can by copied to /etc/hosts.deny to block bad traffic from/to ZeuS C&C servers:
If you have troubles with downloading the blocklist via HTTPS you can also use the HTTP download. These are the standard blocklists which might cause some false positives.