ZeuS Tracker :: Statistic

Here are some statistics about the ZeuS crimeware. Note: You need the Adobe Flash player to view the statistics.

# of active ZeuS files (last 60 days)

Hosting Statistic (# of Hosts per Level)

Spamhaus SBL Statistic

Top ten ZeuS hosting ISPs (by number of ZeuS C&Cs)

ZeuS C&C countAS numberAS name
2147583HOSTING-MEDIA Aurimas Rapalis tradi
1424940HETZNER-AS Hetzner Online AG RZ
1136351SOFTLAYER - SoftLayer Technologies
1016276OVH OVH
96301HP-CLOUD-SERVICES - Hewlett-Packard
77162Itanet - Itamarati On-Line Ltda.
728299CYBERWEB NETWORKS LTDA
66697BELPAK-AS BELPAK
645538ODS-AS-VN Online data services
651167GIGA-HOSTING Giga-Hosting GmbH

Top ten ZeuS hosting ISPs (with files online)

ZeuS C&C countAS numberAS name
27162Itanet - Itamarati On-Line Ltd
237963CNNIC-ALIBABA-CN-NET-AP Alibab
13361DF-TUKWILA01 - Digital Fortres
14134CHINANET-BACKBONE No.31,Jin-ro
14538ERX-CERNET-BKB China Education
15591MARTELCOM-AS OJSC Rostelecom,R
113489EPM Telecomunicaciones S.A. E.
115742PRIVATONLINE ASP Privat Online
116276OVH OVH
118059DTPNET-AS-AP DTPNET NAP,ID

Top ten ZeuS hosting IPs (by domains)

Domain countIP addressAS numberAS name
1531.170.164.547583HOSTING-MEDIA Aurimas Rap
915.185.99.2026301HP-CLOUD-SERVICES - Hewle
5177.70.96.129262545Mandic S.A.
4195.64.154.38197726UKRNAMES-AS Ukrainian Int
3112.78.2.14145538ODS-AS-VN Online data ser
3162.211.84.630496COLO4 - Colo4Dallas LP
3178.63.165.15024940HETZNER-AS Hetzner Online
337.59.208.5816276OVH OVH
383.165.201.20012334AS R Cable y Telecomunica
2107.161.123.13846261QUICKPACKET - QuickPacket

Top ten ZeuS hosting IPs (with files online)

C&C countIP addressAS numberAS name
1109.234.161.2550474O2SWITCH o2switch SARL
1113.108.204.304134CHINANET-BACKBONE No.31,J
1116.90.163.23718059DTPNET-AS-AP DTPNET NAP,I
1121.199.57.5637963CNNIC-ALIBABA-CN-NET-AP A
1173.225.20.1683361DF-TUKWILA01 - Digital Fo
1178.217.186.17551290HOSTEAM-AS HosTeam s.c.
1178.63.165.15024940HETZNER-AS Hetzner Online
1184.22.228.5121788Network Operations Center
1185.19.95.246199366TTNETDC Yesilbir Bilisim
1186.233.185.28263079HS - Servi195167os e Solu

Top ten Registrars (by Domains)

Domain countRegistrar
45R01-REG-FID
39ENOM, INC.
38R01-REG-RIPN
27GODADDY.COM, LLC
24RU-CENTER-REG-RIPN
23WEB COMMERCE COMMUNICATIONS LIMITED
22REGRU-REG-RIPN
21PAKNIC (PRIVATE) LIMITED
18TUCOWS DOMAINS INC.
17PDR LTD. D/B/A PUBLICDOMAINREGISTRY

Top ten Registrars (with files online)

Domain countRegistrar
5PAKNIC (PRIVATE) LIMITED
4R01-REG-RIPN
2Moniker Online Services R120-ME (228)
2REGRU-REG-RIPN
1eNom, Inc. (R39-LROR)
1ONLINE SAS
1ENOM, INC.
1ONLINENIC, INC.
1REGISTER.IT SPA
1Marcaria.com

Top twenty Nameservers (by domains)

ZeuS domain countNamserver
29c.dns.br
29d.dns.br
29e.dns.br
29f.dns.br
29a.dns.br
29b.dns.br
22ns4.nic.uk
22ns5.nic.uk
22nsd.nic.uk
22ns6.nic.uk
22ns2.nic.uk
22ns1.nic.uk
22nsc.nic.uk
22nsb.nic.uk
22nsa.nic.uk
22ns7.nic.uk
20nf2.no-ip.com
20nf5.no-ip.com
20nf1.no-ip.com
20nf4.no-ip.com

Top twenty Nameservers (with files online)

ZeuS domain countNamserver
5ns1.zarodom.su
5ns3.zarodom.su
5ns4.zarodom.su
5ns2.zarodom.su
3a.dns.br
3f.dns.br
3b.dns.br
3e.dns.br
3d.dns.br
3c.dns.br
2ns2.dns-domainserver.com
2ns1.dns-domainserver.com
1ns4.impis.ru
1ns4.itatco.ru
1ns3.itatco.ru
1ns3.impis.ru
1ns1.itatco.ru
1ns2.impis.ru
1ns2.itatco.ru
1ns1.impis.ru

Top ten ZeuS hosting countries (by ZeuS hosts)

ZeuS C&C countcountry
155United States (US) United States (US)
44Russian Federation (RU) Russian Federation (RU)
37Germany (DE) Germany (DE)
23Brazil (BR) Brazil (BR)
20Ukraine (UA) Ukraine (UA)
19Netherlands (NL) Netherlands (NL)
18France (FR) France (FR)
14United Kingdom (GB) United Kingdom (GB)
13Vietnam (VN) Vietnam (VN)
13Romania (RO) Romania (RO)

Top ten ZeuS hosting countries (with files online)

ZeuS C&C countcountry
7United States (US) United States (US)
4China (CN) China (CN)
3Brazil (BR) Brazil (BR)
2France (FR) France (FR)
1Netherlands (NL) Netherlands (NL)
1Colombia (CO) Colombia (CO)
1Poland (PL) Poland (PL)
1Germany (DE) Germany (DE)
1Russian Federation (RU) Russian Federation (RU)
1Canada (CA) Canada (CA)

Top ten config hash

counterMD5 hashversion
57c2e099b049edd2f5a9194f73d1a2dd92
5d6eff2f864dbb3e90773faa12f4c66542
42d12122906fa737341c90741e2964fad2
3629b301d478fc66359aaaaffde9c093a2
30aef8f27c099bdb293d599fed11447632
34832421a7ff144d679f179cbbdc0ccbf2
35dbf32a99abffe72ec54ae4b7c32e1d42
2a3d8d3990402f0ced6d3aba7a013cb9c2
2b8db11f2b916faec8f450bdbac64b9682
231a1e8a2267ed8abb7850a3a0b87b2732

Top ten binary hash

counterMD5 hashAV detection
318c04e0cdf448fa3a59cdd63c0742a571/50 (2.00%)
28411742f15c17f3e1ac1a9fd3a53434c2/42 (4.76%)
137f552382368d227c7e2883ea61a269b43/51 (84.31%)
168bed8dbfefd986c2c8b66d9eb2901810/50 (0.00%)
1ae2be87ca31f830b1e9f294c7b82456124/47 (51.06%)
1f947947940d785b1c336ef508f3ab6bd45/51 (88.24%)
103e164aba8d36865560ab6379ca4783444/50 (88.00%)
14439174b3a0e58cff9e8e9f105434eb746/51 (90.20%)
1805df9572b345cc8691198ed1caba92443/46 (93.48%)
1bc1602e269aca945510b3e1d8ebb32e24/51 (7.84%)

High Antivirus detection rate

AV detectionMD5 hash
49/51 (96.08%) 5db539bb1c5be5580d1c6122650729a5
48/50 (96.00%) 4cbf2cef6dd4ed3b44abb7266c3d9d2f
46/48 (95.83%) 45aa5a3005b078d4e0105c85cd9af2bf
45/47 (95.74%) ad1c5496c5246ab6a95cedcff7caad11
44/46 (95.65%) 9f890fe67151372e2dcb34d4329eacc6
48/51 (94.12%) b2e5059322d837e0235908e6250a143e
47/50 (94.00%) c84b88f6c567b2da651ad683b39ceb2d
47/50 (94.00%) e89261b86d55db32261ea9117fefb1aa
47/50 (94.00%) 4873a11f76fa34e2db0abccdb2433fd9
46/49 (93.88%) 543ba4927f92fcfbb8751bf80ca76fa0
46/49 (93.88%) c35bd0c599ba0a300139b86b793aba07
45/48 (93.75%) 4420621a56aa4004080fe2bbc6b9afac
45/48 (93.75%) 4bce2da8de9d8de58b998e505780eb2d
44/47 (93.62%) d182095218493ed9337150d7765f48ab
43/46 (93.48%) d86ec2bf5962d1254e08458b17ff9594

Low Antivirus detection rate

AV detectionMD5 hash
1/50 (2.00%) 18c04e0cdf448fa3a59cdd63c0742a57
1/48 (2.08%) fd38cdf0a4811e5a87d65142d3d43c46
1/41 (2.44%) 6c3fd4e592eb5e0f5d8b4a2f76d9fa8e
2/50 (4.00%) 8ac33e46a40f31ee508ed0b19c676d5e
2/42 (4.76%) 8411742f15c17f3e1ac1a9fd3a53434c
3/41 (7.32%) 3bdb5a351fa58d6e7dbaa74ad8a97cef
4/51 (7.84%) fc6f3872219e1a9ebbfc95f8e61575c1
4/51 (7.84%) aabfe40f715d861a2e099870a9870c87
4/51 (7.84%) bc1602e269aca945510b3e1d8ebb32e2
4/51 (7.84%) 62bc5c1eb3b6462ed5789a6a8bbbc24e
4/51 (7.84%) 44b8a1a2636e3f94c979804425c4fb81
4/51 (7.84%) 82ac3c90e033f1dfc32c58f7723d477d
4/49 (8.16%) 18be5d4cfd69d4c1f57b37224b539958
4/46 (8.70%) 2213cf2755b9582b34737ab94b769295
4/42 (9.52%) 54ae04d8505e042f8349f7961adb7a69

Top ten worst ZeuS C&Cs (by uptime)

UptimeZeuS C&CLevelSBLCountry
838:59:59saudeodontos.com.br2SBL215949-
838:59:59madlion.sc4Not listed-
649:59:02www.technlip.com2SBL217785-
537:25:24ssl.sinergycosmetics.com4Not listed-
531:55:52www.marcasitehost.com.br2SBL218340-
488:20:35musculationexercice.com2SBL218507-
369:35:59pubby.ru5Not listed-
345:07:25www.nikey.cn1SBL219067-
314:42:14www.mamba-art.ru2SBL219270-
248:22:44standardbn.uni.me5Not listed-

Top ten worst ZeuS C&Cs (by files online)

# of files onlineZeuS C&CLevelSBLCountry
4www.nomoreparentsleftbehind.com2SBL220477-
2musculationexercice.com2SBL218507-
2standardbn.uni.me5Not listed-
2vacey.ru5Not listed-
265.200.132.204SBL216840-
2190.128.29.14SBL217683-
2ssl.sinergycosmetics.com4Not listed-
2178.217.186.1754SBL220496-
2now-work.ru4Not listed-
2kaneaccess.ru5Not listed-

Top changed binaries (by different MD5)

# of different MD5ZeuS Binary
1396plusloinart.be/Ue7cHNm.exe
936www.carnesviba.com/ja/images/te.exe
472spec02.dircon.co.uk/s184DrY.exe
337msecure.su/citdl/newmixplfiit/cit.exe
288www.getmeorganizedasap.com/logs/fed/bot.exe
254advancewebsites.com/mVZtnnSu/DbQip.exe
224www.zuihouyi.com/l/setup4.exe
17812am.ro/0iZDFn1.exe
175pellicslotersa.ru/czl/clz.exe
168artevoz.com.br/9D0JP.exe

Top changes config files (by different MD5)

# of different MD5ZeuS Config
478au1-config.net/site/file.php
474au1-gate.net/citadel/file.php
473bulkstoragehost.com/bulk/store/file.php
470undeniablytransplant.com/yo/q.php
466viernon.com/sopelka3/file.php
192pellicslotersa.ru/czl/zlo.cl
13888.255.89.207/~bananas/2x/b2/cfg_tes2.bin
134hazjournallist.su/hjz/file.php
129testtexttost555888.com.tw/2x/b2/cfg_tes2.bin
127kitted-out.co.uk/magiczoom/kitt.bin

Antivirus dection rate

%# of ZeuS Binaries
100%65
90%714
80%683
70%547
60%579
50%787
40%709
30%994
20%1627
10%1215
0%697

ZeuS Config File Versions

Version# of URLsdistinct hashes (files)
CFG v100
CFG v2774744
Unknown00

Builder Version

# of ZeuS ConfigsBuilder Version
25272.0.8.9
16742.1.0.1
9682.0.7.0
3182.1.0.10
2141.2.7.19
1891.2.6.0
1201.2.5.0
1132.0.9.0
822.0.8.1
811.3.5.1
691.2.10.1
661.3.1.1
391.3.4.5
391.2.7.11
351.2.7.0
342.0.8.0
321.3.2.1

Average binary file size: 186'874 bytes
Average config file size: 63'486 bytes

Binaries submitted to Anubis: 8'625
Unsubmitted binaries: 0

Average binary Antivirus detection rate [MHR]: 41.51%
Average binary Antivirus detection rate [Virustotal]: 39.53%
Numbers of unique binaries (md5), which are currently NOT known to the Malware Hash Registry (MHR): 7'582
Numbers of unique binaries (md5), which are currently NOT known to Virustotal (VT): 8

For more information about the Malware Hash Registry (MHR) take a look at team-cymru.org.