ZeuS Tracker :: Statistic

Here are some statistics about the ZeuS crimeware. Note: You need the Adobe Flash player to view the statistics.

# of active ZeuS files (last 60 days)

Hosting Statistic (# of Hosts per Level)

Spamhaus SBL Statistic

Top ten ZeuS hosting ISPs (by number of ZeuS C&Cs)

ZeuS C&C countAS numberAS name
2454489CORESPACE-DAL - CoreSpace, Inc.
1226496PAH-INC - GoDaddy.com, Inc.
936874CA2-AS
716276OVH OVH
724940HETZNER-AS Hetzner Online AG RZ
745538ODS-AS-VN Online data services
660781LEASEWEB-NL LeaseWeb B.V.,NL
531624VFMNL-AS Verza Facility Management
533182DIMENOC---HOSTDIME - HostDime.com,
558001IDEALSOLUTION-AS Ideal Solution Ltd

Top ten ZeuS hosting ISPs (with files online)

ZeuS C&C countAS numberAS name
254489CORESPACE-DAL - CoreSpace, Inc
18167TELESC - Telecomunicacoes de S
115244ADDD2NET-COM-INC-DBA-LUNARPAGE
124085QTSC-AS-VN Quang Trung Softwar
129468INFRACOM Infracom AB
136024COLO4-CO - Colo4, LLC
146606BLUEHOST-AS-2 - Bluehost Inc.
155803DIGITALPACIFIC-AU Digital Paci

Top ten ZeuS hosting IPs (by domains)

Domain countIP addressAS numberAS name
3194.28.133.3747434FORTUNE-AS Fortune Scienc
3196.41.123.6636874CA2-AS
3209.200.232.1415244ADDD2NET-COM-INC-DBA-LUNA
35.9.107.1924940HETZNER-AS Hetzner Online
395.211.75.24060781LEASEWEB-NL LeaseWeb B.V.
2112.78.2.14145538ODS-AS-VN Online data ser
2160.153.61.6426496PAH-INC - GoDaddy.com, In
2162.144.202.4446606BLUEHOST-AS-2 - Bluehost
2162.245.220.16125926HOSTUS-SOLUTIONS-LLC - Ho
2196.41.123.19336874CA2-AS

Top ten ZeuS hosting IPs (with files online)

C&C countIP addressAS numberAS name
1101.0.89.355803DIGITALPACIFIC-AU Digital
1116.193.77.11824085QTSC-AS-VN Quang Trung So
1162.144.64.9746606BLUEHOST-AS-2 - Bluehost
1177.4.23.1598167TELESC - Telecomunicacoes
1207.210.229.6936024COLO4-CO - Colo4, LLC
1209.200.232.1415244ADDD2NET-COM-INC-DBA-LUNA
1216.194.169.1000
163.249.148.7454489CORESPACE-DAL - CoreSpace
164.182.17.6454489CORESPACE-DAL - CoreSpace
166.221.13.600

Top ten Registrars (by Domains)

Domain countRegistrar
29REGRU-RU
27ENOM, INC.
24GODADDY.COM, LLC
16R01-RU
16REGTIME-RU
14Namecheap
8R01-REG-FID
8PDR LTD. D/B/A PUBLICDOMAINREGISTRY
7GoDaddy.com, LLC (R91-LROR)
7DOMAIN.COM, LLC

Top ten Registrars (with files online)

Domain countRegistrar
1PAKNIC (PRIVATE) LIMITED
1PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
1Todaynic.com, Inc. (R1316-LROR)
1MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLD
1SE Direkt
1RU-CENTER-PP-RU
1NEUBOX INTERNET SA DE CV

Top twenty Nameservers (by domains)

ZeuS domain countNamserver
11ns0.is.co.za
11ns1.coza.net.za
11ns4.iafrica.com
10f.dns.br
10ns0.neotel.co.za
10ns.coza.net.za
10coza1.dnsnode.net
10a.dns.br
10e.dns.br
10d.dns.br
10b.dns.br
10c.dns.br
8ns3.itmm.ru
8ns2.itmm.ru
7nsc.nic.uk
7dns2.nic.uk
7dns1.nic.uk
7nsd.nic.uk
7dns4.nic.uk
7nsa.nic.uk

Top twenty Nameservers (with files online)

ZeuS domain countNamserver
1a.dns.ripn.net
1skalman.infracom.se
1lurvas.infracom.se
1z.au
1b.dns.ripn.net
1d.dns.ripn.net
1ns144.neubox.net
1ns143.neubox.net
1f.dns.ripn.net
1e.dns.ripn.net
1y.au
1x.au
1ns16.colservicios.com
1ns15.colservicios.com
1162-144-64-97.webhostbox.net
1ns1.grandcinemarttx.com
1ns1.kellygazel.co.in
1ns1.meathon.net
1w.au
1ns2.inmotionhosting.com

Top ten ZeuS hosting countries (by ZeuS hosts)

ZeuS C&C countcountry
109United States (US) United States (US)
27Russian Federation (RU) Russian Federation (RU)
25Netherlands (NL) Netherlands (NL)
16Germany (DE) Germany (DE)
16Ukraine (UA) Ukraine (UA)
11Romania (RO) Romania (RO)
11South Africa (ZA) South Africa (ZA)
10Vietnam (VN) Vietnam (VN)
10Canada (CA) Canada (CA)
9Thailand (TH) Thailand (TH)

Top ten ZeuS hosting countries (with files online)

ZeuS C&C countcountry
7United States (US) United States (US)
1Australia (AU) Australia (AU)
1Brazil (BR) Brazil (BR)
1Sweden (SE) Sweden (SE)
1Vietnam (VN) Vietnam (VN)

Top ten config hash

counterMD5 hashversion
2c88359980afa86d114ffde4e5a59514f2
2ff01956e75b62de7d4f4c8604b895daf2
2a3d8d3990402f0ced6d3aba7a013cb9c2
2fc2d2f679ded86b861fb5ae4406b7b0f2
214ab84517aa87d494e92d047038c1a5d2
2b8db11f2b916faec8f450bdbac64b9682
2fafae95dbf2ee1192baa479cdd2098252
1049ec68148bd68d0d43730f5958dec4e2
10cc95fe5fa803420f0da652042c76a7f2
1129fecf3fa9c1de3be652fab65ad322c2

Top ten binary hash

counterMD5 hashAV detection
8a25263c96b548b76031d96b43fe46b080/55 (0.00%)
23a2c75fef3be79b5d8662f121f85b4bb48/51 (94.12%)
151070a9dc228f3bf76619545f34c52d541/57 (71.93%)
1b73aa307e8c2328f6a7dfde1a1f024fc24/50 (48.00%)
1122d32cf91a5f6a545496e0c7c64355f45/51 (88.24%)
17024d20048178843f629e8c5a422d07240/56 (71.43%)
1d725561817d04a1dd0c889781613b57730/55 (54.55%)
12635e89edbc4458497a970c29bf3b09222/41 (53.70%)
1805df9572b345cc8691198ed1caba92443/46 (93.48%)
1e89261b86d55db32261ea9117fefb1aa47/50 (94.00%)

High Antivirus detection rate

AV detectionMD5 hash
44/46 (95.65%) 9f890fe67151372e2dcb34d4329eacc6
51/54 (94.44%) c30825c55ddd1b3d93ee6141d44c78ef
48/51 (94.12%) 3a2c75fef3be79b5d8662f121f85b4bb
47/50 (94.00%) e89261b86d55db32261ea9117fefb1aa
43/46 (93.48%) 805df9572b345cc8691198ed1caba924
43/46 (93.48%) d86ec2bf5962d1254e08458b17ff9594
42/45 (93.33%) eccfe46a97deef63172aac0ae8771d9a
42/45 (93.33%) ebffa1e446ac21950941ae3463aa2df2
41/44 (93.18%) 05cbdabfcd5b6ab73c2d5cbc213ad044
45/49 (91.84%) be39759c2e6f2685097deae282692851
43/47 (91.49%) d87a03973f8cb42b90a573f831d29bd3
42/46 (91.30%) 493b3700a1ac3b5b872bf2a516bcb701
46/51 (90.20%) 065e6b516c4fab893826103db6aeb5dc
50/56 (89.29%) 2c0244c28036f9cb5f9a703c8b329f2f
48/54 (88.89%) 461f8cb7c8f1dd63b062fe726ea764e2

Low Antivirus detection rate

AV detectionMD5 hash
1/57 (1.75%) d7f098705b746717b3dc4d34162d267f
1/55 (1.82%) 386ccdfda5fc1335ade1e964de2552be
1/52 (1.92%) b2b1325cbfcc52be62e38fb99713b1f3
1/41 (2.44%) 6c3fd4e592eb5e0f5d8b4a2f76d9fa8e
2/56 (3.57%) 7e3b8c6062f7f11fef7cd66d068539c7
2/53 (3.77%) 1e0058d2e69f3bc4b961451710e2fa06
3/55 (5.45%) 09eb0efbb48e7efe2e19e71edd655f3e
3/52 (5.77%) 9d22d81cd20c547737d0a7932078603b
6/54 (11.11%) ee803ae10d03cbba0ff5263ee481b3ea
7/56 (12.50%) 9490cf8184989d89502c9c7624572f75
10/57 (17.54%) 8c625c4cbd99d78573d305df427d5387
9/51 (17.65%) 63992249e966ff33d7555e887ce28595
16/55 (29.09%) bd6466701c9e93ab24d77c34d44106a7
18/57 (31.58%) 7bee1ec96d1084491495f96c42d178fa
20/56 (35.71%) 14a18b30c40f5a4fafe08e0c21cc5844

Top ten worst ZeuS C&Cs (by uptime)

UptimeZeuS C&CLevelSBLCountry
838:59:59emaillifecoaching.com.au4SBL261278-
838:59:59hoteltqm.com2SBL267655-
838:59:59motrev.se2SBL264695-
628:10:44fx35.pp.ru3SBL265949-
532:07:496pjddrtt7.com4SBL266551-
54:38:29hatefitch.org5Not listed-
31:06:27benchblog.com2SBL267719-
03:54:23randylum.net5Not listed-

Top ten worst ZeuS C&Cs (by files online)

# of files onlineZeuS C&CLevelSBLCountry
3randylum.net5Not listed-
2emaillifecoaching.com.au4SBL261278-
26pjddrtt7.com4SBL266551-
2fx35.pp.ru3SBL265949-
2motrev.se2SBL264695-
2116.193.77.1184SBL236067-
263.249.148.744SBL265149-
2hoteltqm.com2SBL267655-
164.182.17.644Not listed-
1benchblog.com2SBL267719-

Top changed binaries (by different MD5)

# of different MD5ZeuS Binary
1396plusloinart.be/Ue7cHNm.exe
936www.carnesviba.com/ja/images/te.exe
473spec02.dircon.co.uk/s184DrY.exe
337msecure.su/citdl/newmixplfiit/cit.exe
288www.getmeorganizedasap.com/logs/fed/bot.exe
254advancewebsites.com/mVZtnnSu/DbQip.exe
224www.zuihouyi.com/l/setup4.exe
17812am.ro/0iZDFn1.exe
175pellicslotersa.ru/czl/clz.exe
168artevoz.com.br/9D0JP.exe

Top changes config files (by different MD5)

# of different MD5ZeuS Config
5004btc.cc/se/file.php
478au1-config.net/site/file.php
474au1-gate.net/citadel/file.php
473bulkstoragehost.com/bulk/store/file.php
470undeniablytransplant.com/yo/q.php
466viernon.com/sopelka3/file.php
23587.247.179.190/~roshanaei/media/system/css/file.php
192pellicslotersa.ru/czl/zlo.cl
147www.colegiuldeadministratie.ro/plugins/user/joomla/cfg.bin
13888.255.89.207/~bananas/2x/b2/cfg_tes2.bin

Antivirus dection rate

%# of ZeuS Binaries
100%66
90%871
80%752
70%565
60%601
50%834
40%753
30%1024
20%1655
10%1325
0%769

ZeuS Config File Versions

Version# of URLsdistinct hashes (files)
CFG v100
CFG v2630623
Unknown00

Builder Version

# of ZeuS ConfigsBuilder Version
39752.0.8.9
21072.1.0.1
9682.0.7.0
3182.1.0.10
2231.2.7.19
2141.2.6.0
1341.2.5.0
1132.0.9.0
832.0.8.1
811.3.5.1
691.2.10.1
661.3.1.1
401.2.7.11
391.3.4.5
351.2.7.0
342.0.8.0
321.3.2.1

Average binary file size: 186'083 bytes
Average config file size: 58'915 bytes

Binaries submitted to Anubis: 9'226
Unsubmitted binaries: 0

Average binary Antivirus detection rate [MHR]: 42.99%
Average binary Antivirus detection rate [Virustotal]: 40.08%
Numbers of unique binaries (md5), which are currently NOT known to the Malware Hash Registry (MHR): 8'137
Numbers of unique binaries (md5), which are currently NOT known to Virustotal (VT): 11

For more information about the Malware Hash Registry (MHR) take a look at team-cymru.org.