ZeuS Tracker :: Statistic

Here are some statistics about the ZeuS crimeware. Note: You need the Adobe Flash player to view the statistics.

# of active ZeuS files (last 60 days)

Hosting Statistic (# of Hosts per Level)

Spamhaus SBL Statistic

Top ten ZeuS hosting ISPs (by number of ZeuS C&Cs)

ZeuS C&C countAS numberAS name
1020473AS-CHOOPA - Choopa, LLC
1024940HETZNER-AS Hetzner Online AG RZ
716276OVH OVH
631624VFMNL-AS Verza Facility Management
527715LocaWeb Ltda
545538ODS-AS-VN Online data services
416509AMAZON-02 - Amazon.com, Inc.
426496PAH-INC - GoDaddy.com, Inc.
454489CORESPACE-DAL - CoreSpace, Inc.
34538ERX-CERNET-BKB China Education and

Top ten ZeuS hosting ISPs (with files online)

ZeuS C&C countAS numberAS name
820473AS-CHOOPA - Choopa, LLC
316509AMAZON-02 - Amazon.com, Inc.
127715LocaWeb Ltda
133055BCC-65-182-96-0-PHX - Brinkste
145538ODS-AS-VN Online data services
151559NETINTERNET Netinternet Bilgis
156067METRABYTE-TH 453 Ladplacout Jo
163940DRAGONHISPEED-AS-AP dragonhisp

Top ten ZeuS hosting IPs (by domains)

Domain countIP addressAS numberAS name
10104.238.158.10620473AS-CHOOPA - Choopa, LLC
3144.76.115.3624940HETZNER-AS Hetzner Online
3186.202.127.13227715LocaWeb Ltda
35.9.107.1924940HETZNER-AS Hetzner Online
352.39.53.15116509AMAZON-02 - Amazon.com, I
266.45.245.15019318NJIIX-AS-1 - NEW JERSEY I
295.173.172.22851559NETINTERNET Netinternet B
1101.200.81.18737963CNNIC-ALIBABA-CN-NET-AP A
1103.19.89.118132717NDCTPL-IN NxtGen Datacent
1103.229.74.3255660MWN-AS-ID PT Master Web N

Top ten ZeuS hosting IPs (with files online)

C&C countIP addressAS numberAS name
8104.238.158.10620473AS-CHOOPA - Choopa, LLC
352.39.53.15116509AMAZON-02 - Amazon.com, I
1112.78.6.23445538ODS-AS-VN Online data ser
1119.59.120.856067METRABYTE-TH 453 Ladplaco
1159.253.42.17151559NETINTERNET Netinternet B
1186.202.127.13227715LocaWeb Ltda
127.254.152.2963940DRAGONHISPEED-AS-AP drago
165.182.101.22133055BCC-65-182-96-0-PHX - Bri

Top ten Registrars (by Domains)

Domain countRegistrar
23ENOM, INC.
14GODADDY.COM, LLC
13Namecheap
11R01-RU
9R01-REG-FID
9PDR Ltd. d/b/a PublicDomainRegistry
6ERANET INTERNATIONAL LIMITED
6TUCOWS DOMAINS INC.
6DOMAIN.COM, LLC
5NETWORK SOLUTIONS, LLC.

Top ten Registrars (with files online)

Domain countRegistrar
4ENOM, INC.
2GODADDY.COM, LLC
2ONLINENIC, INC.
1eNom, Inc. (R39-LROR)
1TUCOWS DOMAINS INC.
1PDR Ltd. d/b/a PublicDomainRegistry.com R28-A
1WEB COMMERCE COMMUNICATIONS LIMITED DBA WEBNI
11 & 1 Internet AG (R73-LROR)

Top twenty Nameservers (by domains)

ZeuS domain countNamserver
10dns1.registrar-servers.com
10dns2.registrar-servers.com
9c.dns.br
9e.dns.br
9f.dns.br
9b.dns.br
9d.dns.br
9a.dns.br
8nss.ukr.net
8ns.in.ua
8ns3.itmm.ru
8ns.ett.ua
8ns2.itmm.ru
5ns2.nic.in.net
5ns3.nic.in.net
5ns1.nic.in.net
5nsd.nic.uk
5nsa.nic.uk
5nsc.nic.uk
5nf3.no-ip.com

Top twenty Nameservers (with files online)

ZeuS domain countNamserver
8dns2.registrar-servers.com
8dns1.registrar-servers.com
3ns01.freenom.com
3ns03.freenom.com
3ns02.freenom.com
3ns04.freenom.com
1ns1.brinkster.com
1f.dns.br
1e.dns.br
1ns2.brinkster.com
1ns83.hostinglotus.net
1ns84.hostinglotus.net
1d.dns.br
1ns2-1551094.dragonhispeed.com
1ns1-1551094.dragonhispeed.com
1ns6.tubisan.net
1ns3.digipowerdns.com
1ns2.digipowerdns.com
1ns1.digipowerdns.com
1ns4.digipowerdns.com

Top ten ZeuS hosting countries (by ZeuS hosts)

ZeuS C&C countcountry
40United States (US) United States (US)
22Germany (DE) Germany (DE)
17Russian Federation (RU) Russian Federation (RU)
13Netherlands (NL) Netherlands (NL)
8Turkey (TR) Turkey (TR)
7Brazil (BR) Brazil (BR)
7Vietnam (VN) Vietnam (VN)
7Thailand (TH) Thailand (TH)
7Indonesia (ID) Indonesia (ID)
6China (CN) China (CN)

Top ten ZeuS hosting countries (with files online)

ZeuS C&C countcountry
8Germany (DE) Germany (DE)
4United States (US) United States (US)
2Thailand (TH) Thailand (TH)
1Turkey (TR) Turkey (TR)
1Vietnam (VN) Vietnam (VN)
1Brazil (BR) Brazil (BR)

Top ten config hash

counterMD5 hashversion
250f8bc0ffb3f43fefba5935d0b4792e12
214ab84517aa87d494e92d047038c1a5d2
2fafae95dbf2ee1192baa479cdd2098252
2fc2d2f679ded86b861fb5ae4406b7b0f2
2b8db11f2b916faec8f450bdbac64b9682
100d469d6f402fefe2776641c19f32a2a2
10bb9de63cc359be44944df57cb12b5112
11218fd5f68b1ef51d64f0e08636b42a62
1195feaf9562107d456ac0e3cfc6f16ad2
121ce0951d9fad5b73116f1c648ec9b372

Top ten binary hash

counterMD5 hashAV detection
4a25263c96b548b76031d96b43fe46b080/55 (0.00%)
23a2c75fef3be79b5d8662f121f85b4bb48/51 (94.12%)
1065e6b516c4fab893826103db6aeb5dc46/51 (90.20%)
17331895ea0d778ffef3ab95d3e1c355b29/42 (69.00%)
1199d04e319f6f8c1e88ab3ddc7ed28d544/54 (81.48%)
18802d13595da8294c84821e5e308644232/49 (65.31%)
1322c39b56988f5a35e64c54633c196ee44/51 (86.27%)
1b2b1325cbfcc52be62e38fb99713b1f31/52 (1.92%)
1461f8cb7c8f1dd63b062fe726ea764e248/54 (88.89%)
1d725561817d04a1dd0c889781613b57730/55 (54.55%)

High Antivirus detection rate

AV detectionMD5 hash
44/46 (95.65%) 9f890fe67151372e2dcb34d4329eacc6
51/54 (94.44%) c30825c55ddd1b3d93ee6141d44c78ef
48/51 (94.12%) 3a2c75fef3be79b5d8662f121f85b4bb
47/50 (94.00%) e89261b86d55db32261ea9117fefb1aa
43/46 (93.48%) 805df9572b345cc8691198ed1caba924
43/46 (93.48%) d86ec2bf5962d1254e08458b17ff9594
42/45 (93.33%) ebffa1e446ac21950941ae3463aa2df2
42/45 (93.33%) eccfe46a97deef63172aac0ae8771d9a
45/49 (91.84%) be39759c2e6f2685097deae282692851
43/47 (91.49%) d87a03973f8cb42b90a573f831d29bd3
42/46 (91.30%) 493b3700a1ac3b5b872bf2a516bcb701
46/51 (90.20%) 065e6b516c4fab893826103db6aeb5dc
50/56 (89.29%) 2c0244c28036f9cb5f9a703c8b329f2f
48/54 (88.89%) 461f8cb7c8f1dd63b062fe726ea764e2
47/53 (88.68%) 46ab2d15b560b7a07d39862907290220

Low Antivirus detection rate

AV detectionMD5 hash
1/56 (1.79%) e7c054ea8bc2f66e914ef82841d329fc
1/52 (1.92%) b2b1325cbfcc52be62e38fb99713b1f3
1/41 (2.44%) 6c3fd4e592eb5e0f5d8b4a2f76d9fa8e
2/56 (3.57%) 7e3b8c6062f7f11fef7cd66d068539c7
2/53 (3.77%) 1e0058d2e69f3bc4b961451710e2fa06
3/55 (5.45%) 09eb0efbb48e7efe2e19e71edd655f3e
9/51 (17.65%) 63992249e966ff33d7555e887ce28595
15/56 (26.79%) 86255ec982e822f6b57855d3866618ae
16/55 (29.09%) bd6466701c9e93ab24d77c34d44106a7
20/56 (35.71%) 14a18b30c40f5a4fafe08e0c21cc5844
25/56 (44.64%) 353f3b54de9ecfd82c63a2aeaf1c3b9c
21/47 (44.68%) 50220851ac85a9422c35966b433c203b
15/32 (46.88%) 70a0f9cef4d7a4952eb659b049e98fc7
24/50 (48.00%) b73aa307e8c2328f6a7dfde1a1f024fc
30/55 (54.55%) d725561817d04a1dd0c889781613b577

Top ten worst ZeuS C&Cs (by uptime)

UptimeZeuS C&CLevelSBLCountry
838:59:59www.demexsoft.com2SBL281145-
838:59:59www.mwebdesign.asia2SBL319186-
838:59:59securetestingnetwotk.com4Not listed-
838:59:59kntksales.tk4Not listed-
838:59:59mymytonnymaxltd.org4Not listed-
838:59:59www.antibasic.ga4Not listed-
838:59:59hanocomin.com4Not listed-
838:59:59hotelavalon.org4Not listed-
838:59:59jaaphram.com4Not listed-
838:59:59ozowarac.com4Not listed-

Top ten worst ZeuS C&Cs (by files online)

# of files onlineZeuS C&CLevelSBLCountry
2villaggiodiitaici.com.br2SBL302169-
2wayufilm.com2SBL269263-
2www.mwebdesign.asia2SBL319186-
2bilgenart.com2SBL327751-
1metalexvietnamreed.tk4Not listed-
1www.dracotec.org2Not listed-
1jaaphram.com4Not listed-
1www.demexsoft.com2SBL281145-
1securetestingnetwotk.com4Not listed-
1cy-m0ld.com4Not listed-

Top changed binaries (by different MD5)

# of different MD5ZeuS Binary
1396plusloinart.be/Ue7cHNm.exe
936www.carnesviba.com/ja/images/te.exe
473spec02.dircon.co.uk/s184DrY.exe
337msecure.su/citdl/newmixplfiit/cit.exe
288www.getmeorganizedasap.com/logs/fed/bot.exe
254advancewebsites.com/mVZtnnSu/DbQip.exe
224www.zuihouyi.com/l/setup4.exe
17812am.ro/0iZDFn1.exe
175pellicslotersa.ru/czl/clz.exe
168artevoz.com.br/9D0JP.exe

Top changes config files (by different MD5)

# of different MD5ZeuS Config
667wayufilm.com/font/specimen_files/config.jpg
5004btc.cc/se/file.php
478au1-config.net/site/file.php
474au1-gate.net/citadel/file.php
473bulkstoragehost.com/bulk/store/file.php
470undeniablytransplant.com/yo/q.php
466viernon.com/sopelka3/file.php
290diagnosticdubai.com/UCHE/config.jpg
264diagnosticdubai.com/Cabin/config.jpg
246162.223.94.56/zu/config.jpg

Antivirus dection rate

%# of ZeuS Binaries
100%66
90%871
80%752
70%566
60%602
50%834
40%753
30%1025
20%1660
10%1332
0%772

ZeuS Config File Versions

Version# of URLsdistinct hashes (files)
CFG v100
CFG v2483478
Unknown00

Builder Version

# of ZeuS ConfigsBuilder Version
39772.0.8.9
21072.1.0.1
9682.0.7.0
3182.1.0.10
2241.2.7.19
2141.2.6.0
1341.2.5.0
1132.0.9.0
832.0.8.1
811.3.5.1
691.2.10.1
661.3.1.1
401.2.7.11
391.3.4.5
351.2.7.0
342.0.8.0
321.3.2.1

Average binary file size: 186'189 bytes
Average config file size: 59'849 bytes

Binaries submitted to Anubis: 9'243
Unsubmitted binaries: 0

Average binary Antivirus detection rate [MHR]: 42.99%
Average binary Antivirus detection rate [Virustotal]: 40.04%
Numbers of unique binaries (md5), which are currently NOT known to the Malware Hash Registry (MHR): 8'151
Numbers of unique binaries (md5), which are currently NOT known to Virustotal (VT): 10

For more information about the Malware Hash Registry (MHR) take a look at team-cymru.org.