ZeuS Tracker :: FAQ

What is abuse.ch ZeuS Tracker?

ZeuS Tracker provides you the possiblity to track ZeuS Command&Control servers (C&C) and malicious hosts which are hosting ZeuS files. ZeuS tracker captures and tracks ZeuS hosts aswell as the associated config files, binaries and dropezones. The main focus is to provide system administrators the possiblity to block well-known ZeuS hosts and to avoid and detect ZeuS infections in their networks. For this purpose, ZeuS Tracker offers several blocklists (see ZeuS blocklist). Additionally, ZeuS Tracker should help CERTs, ISPs and LEAs (law enforcement) to track malicious ZeuS hosts in their network / country. To do so, ZeuS Tracker serves RSS feeds that allows you to track ZeuS hosts in a specific country or AS (see section "Is there a RSS feed available?").

What is ZeuS?

ZeuS (also known as Zbot / WSNPoem) is a crimeware kit, which steals credentials from various online services like social networks, online banking accounts, ftp accounts, email accounts and other (phishing). The web admin panel can be bought for 700$ (source: RSA Security 4/21/2008) and the exe builder for 4'000$ (source: Prevx 3/15/2009).

The crimeware kit contains the following modules:

Normaly, a ZeuS host consists of three componets / URIs:

Some features of ZeuS are:

Normaly the trojan is located on the system at:

Variant 1

File Description
C:\WINDOWS\system32\ntos.exe Trojan binary
C:\WINDOWS\system32\wsnpoem\audio.dll Contains the stolen data
C:\WINDOWS\system32\wsnpoem\video.dll Contains the encrypted config

Variant 2

File Description
C:\WINDOWS\system32\oembios.exe Trojan binary
C:\WINDOWS\system32\sysproc64\sysproc86.sys Contains the stolen data
C:\WINDOWS\system32\sysproc64\sysproc32.sys Contains the encrypted config

Variant 3

File Description
C:\WINDOWS\system32\twext.exe Trojan binary
C:\WINDOWS\system32\twain_32\local.ds Contains the stolen data
C:\WINDOWS\system32\twain_32\user.ds Contains the encrypted config

Variant 4

File Description
C:\WINDOWS\system32\sdra64.exe Trojan binary
C:\WINDOWS\system32\lowsec\local.ds Contains the stolen data
C:\WINDOWS\system32\lowsec\user.ds Contains the encrypted config

The Zeus Config file

The cybercriminal is able to define the "targets" of his phishing attack by him self using a config file which is applied to the infected computer (bot). A decrypted config file can look like this:

<Msg ID=20002 URLLastBinary FileLen=33 RealLen=33 Type='Uncompressed'>
http://evilzeusdomain.ru/zs/ldr.exe (Latest trojan binary)
<Msg ID=20003 URLServer0 FileLen=29 RealLen=29 Type='Uncompressed'>
http://evilzeusdomain.ru/zs/s.php (Dropzone)
<Msg ID=20004 URLAdvServers FileLen=37 RealLen=37 Type='Uncompressed'>
http://evilzeusdomain.ru/zs/cfg.bin (Latest config file [encrypted])
<Msg ID=20006 HTTPBotlogFilter FileLen=153 RealLen=188 Type='Compressed'> (Watching for the URLs below)

<Msg ID=20008 HTTPFakesList FileLen=621 RealLen=1974 Type='Compressed'> (Fake / redirect the URLs below)


Currently there are two versions of the ZeuS config file out there:

Version 1

Config file is scrambled (not encrypted!). If you know the algorithm, you can descramble ALL config files which are v1. There is already a plublic tool available to descramble v1 config files.

Version 2

Config file is encrypted. Each ZeuS installation has its own key defined by the botnet master to decrypt the config file . If you have the ZeuS binary, it is possible to extract the key in order to decrypt associated v2 config files. No public tool available.

For more information about ZeuS:

How to get infected?

The ZeuS trojan spreads on email as well via drive-by infections (using toolkits like LuckySploit, El fiesta and so on). It's the decision of the cybercriminal how he would like to distribute the binary.

What is the ZeuS blocklist?

The ZeuS blocklist lists all ZeuS Command&Control servers (C&Cs) which are currently being tracked by ZeuS Tracker. Additionally, the domains and IPs are included in the Malware Domain List (MDL).

Note: ZeuS C&Cs which are on the ZeuS Tracker Removal List are not included in the ZeuS blocklist!

How to submit a ZeuS C&C to the ZeuS Tracker?

New submissions are welcome. Please submit new ZeuS hosts using this form.

Is there a RSS feed available?

Sure! There are various RSS feeds available. You can also subscribe a RSS feed for a special AS or country. Just take a look at the RSS feeds page.

What is MHR?

When you take a look at the monitoring page and the ZeuS statistics you will come accross MHR.
MHR is the abbreviation for Malware Hash Registry. It's a free service provided by Team-Cymru. You can look up MD5-hashes on MHR and it will return you the AV detection rate in percent (if the MD5 hash is known on MHR). ZeuS Tracker is using this service to provide you the AV detection rate. For more information take a look at team-cymru.org.

I'm blacklisted! How can I remove my host from the ZeuS blocklist?

If your IP address or domain name is listed on the ZeuS blocklist, you can request removal by contacting the administrator here. The removal request will be reviewed before the domain / IP will be removed from the list. Note: If there is a Spamhaus SBL Advisory concerning your network / IP address, please be sure that the SBL listing will be removed befor you request removal.

Where can I download all ZeuS binaries and configs which are in the Tracker?

You have the possibility to download a compressed ZIP-file that contains all ZeuS binaries and configs which are known to ZeuS Tracker.

WARNING: The ZIP-file is NOT password protected! (download binaries | download configs).

Where can I get more information about ZeuS?

Something else?

You like the abuse.ch ZeuS Tracker? Feel free to make a donation for this project: