ZeuS Tracker :: Statistic

Here are some statistics about the ZeuS crimeware. Note: You need the Adobe Flash player to view the statistics.

# of active ZeuS files (last 60 days)

Hosting Statistic (# of Hosts per Level)

Spamhaus SBL Statistic

Top ten ZeuS hosting ISPs (by number of ZeuS C&Cs)

ZeuS C&C countAS numberAS name
2247583HOSTING-MEDIA Aurimas Rapalis tradi
1424940HETZNER-AS Hetzner Online AG RZ
1436351SOFTLAYER - SoftLayer Technologies
1116276OVH OVH
1026496PAH-INC - GoDaddy.com, Inc.
96301HP-CLOUD-SERVICES - Hewlett-Packard
66697BELPAK-AS BELPAK
67162Itanet - Itamarati On-Line Ltda.
632475SINGLEHOP-INC - SingleHop
637963CNNIC-ALIBABA-CN-NET-AP Alibaba (Ch

Top ten ZeuS hosting ISPs (with files online)

ZeuS C&C countAS numberAS name
27162Itanet - Itamarati On-Line Ltd
221788Network Operations Center Inc.
237963CNNIC-ALIBABA-CN-NET-AP Alibab
13188ALASTYR Alastyr Telekomunikasy
13595GNAXNET-AS - Global Net Access
14134CHINANET-BACKBONE No.31,Jin-ro
14538ERX-CERNET-BKB China Education
14766KIXS-AS-KR Korea Telecom
18820TAL-DE TAL.DE Klaus Internet S
19498BBIL-AP BHARTI Airtel Ltd.

Top ten ZeuS hosting IPs (by domains)

Domain countIP addressAS numberAS name
1531.170.164.547583HOSTING-MEDIA Aurimas Rap
915.185.99.2026301HP-CLOUD-SERVICES - Hewle
4177.70.96.129262545Mandic S.A.
3107.161.123.13846261QUICKPACKET - QuickPacket
3162.211.84.630496COLO4 - Colo4Dallas LP
3195.64.154.38197726UKRNAMES-AS Ukrainian Int
337.59.208.5816276OVH OVH
2112.78.2.14145538ODS-AS-VN Online data ser
2176.215.86.12050544KRSK-AS CJSC _ER-Telecom
2199.246.2.10513468KOS-1193 - Kingston Onlin

Top ten ZeuS hosting IPs (with files online)

C&C countIP addressAS numberAS name
1103.23.201.21945287VARNION-AS-ID Varnion Tec
1109.234.161.2550474O2SWITCH o2switch SARL
1112.175.184.514766KIXS-AS-KR Korea Telecom
1112.78.2.14145538ODS-AS-VN Online data ser
1113.108.204.304134CHINANET-BACKBONE No.31,J
1121.199.57.5637963CNNIC-ALIBABA-CN-NET-AP A
1141.255.167.2751852PLI-AS Private Layer INC
1142.0.78.4754444AVESTA-NETWORKS-LLC - Ave
1177.70.96.129262545Mandic S.A.
1181.50.248.1510620Telmex Colombia S.A.

Top ten Registrars (by Domains)

Domain countRegistrar
45R01-REG-FID
40ENOM, INC.
35GODADDY.COM, LLC
31R01-REG-RIPN
23WEB COMMERCE COMMUNICATIONS LIMITED
23RU-CENTER-REG-RIPN
20REGRU-REG-RIPN
16TUCOWS DOMAINS INC.
15PAKNIC (PRIVATE) LIMITED
15PDR LTD. D/B/A PUBLICDOMAINREGISTRY

Top ten Registrars (with files online)

Domain countRegistrar
2RU-CENTER-REG-RIPN
2REGRU-REG-RIPN
2GODADDY.COM, LLC
1ONLINE SAS
1Moniker Online Services R120-ME (228)
1NAME.COM, INC.
1FBS INC.
1ONLINENIC, INC.
1REGISTER.COM, INC.
1Beijing New Net Digital Information Technolog

Top twenty Nameservers (by domains)

ZeuS domain countNamserver
25c.dns.br
25d.dns.br
25e.dns.br
25f.dns.br
25b.dns.br
25a.dns.br
23ns1.nic.uk
23nsb.nic.uk
23nsc.nic.uk
23nsd.nic.uk
23ns2.nic.uk
23ns4.nic.uk
23nsa.nic.uk
23ns7.nic.uk
23ns6.nic.uk
23ns5.nic.uk
20nf1.no-ip.com
20nf3.no-ip.com
20nf2.no-ip.com
20nf5.no-ip.com

Top twenty Nameservers (with files online)

ZeuS domain countNamserver
4b.dns.br
4d.dns.br
4e.dns.br
4f.dns.br
4a.dns.br
4c.dns.br
1v1s1.xundns.com
1g.dns.kr
1v1s2.xundns.com
1ns30.knameservers.com
1ns1.lunarpages.com
1ns31.knameservers.com
1f.dns.kr
1ns2.main-hosting.com
1c.dns.kr
1e.dns.kr
1b.dns.kr
1ns2.lunarpages.com
1ns3.main-hosting.com
1ns4.main-hosting.com

Top ten ZeuS hosting countries (by ZeuS hosts)

ZeuS C&C countcountry
162United States (US) United States (US)
43Russian Federation (RU) Russian Federation (RU)
38Germany (DE) Germany (DE)
22Netherlands (NL) Netherlands (NL)
18Brazil (BR) Brazil (BR)
17France (FR) France (FR)
16Ukraine (UA) Ukraine (UA)
15United Kingdom (GB) United Kingdom (GB)
13Canada (CA) Canada (CA)
13Turkey (TR) Turkey (TR)

Top ten ZeuS hosting countries (with files online)

ZeuS C&C countcountry
10United States (US) United States (US)
4China (CN) China (CN)
4Brazil (BR) Brazil (BR)
2Colombia (CO) Colombia (CO)
1Ukraine (UA) Ukraine (UA)
1Indonesia (ID) Indonesia (ID)
1Switzerland (CH) Switzerland (CH)
1India (IN) India (IN)
1Vietnam (VN) Vietnam (VN)
1Korea, Republic of (KR) Korea, Republic of (KR)

Top ten config hash

counterMD5 hashversion
5d6eff2f864dbb3e90773faa12f4c66542
57c2e099b049edd2f5a9194f73d1a2dd92
42d12122906fa737341c90741e2964fad2
34832421a7ff144d679f179cbbdc0ccbf2
35dbf32a99abffe72ec54ae4b7c32e1d42
30aef8f27c099bdb293d599fed11447632
2b8db11f2b916faec8f450bdbac64b9682
2fcb40f2fc69b6f6d060bbc170410fb8b2
2170fe468b17b47bc971895202e7be6be2
24384b2515a23dd913c8374ad1a28e0f52

Top ten binary hash

counterMD5 hashAV detection
218c04e0cdf448fa3a59cdd63c0742a571/50 (2.00%)
245b87b40ea0fa331177659966e9cf6c30/51 (0.00%)
28411742f15c17f3e1ac1a9fd3a53434c2/42 (4.76%)
127418e8c18284f409d04fac572dea60844/48 (91.67%)
1543ba4927f92fcfbb8751bf80ca76fa046/49 (93.88%)
19f1521e8095a491cc8515fd0fcca620510/47 (21.28%)
1e63791129cfc92d3bcd8b808b8b57a2838/51 (74.51%)
134ceb101b9516f52550e4587292f7c3e46/51 (90.20%)
168bed8dbfefd986c2c8b66d9eb2901810/50 (0.00%)
1ad1c5496c5246ab6a95cedcff7caad1145/47 (95.74%)

High Antivirus detection rate

AV detectionMD5 hash
49/51 (96.08%) 5db539bb1c5be5580d1c6122650729a5
48/50 (96.00%) 4cbf2cef6dd4ed3b44abb7266c3d9d2f
46/48 (95.83%) 45aa5a3005b078d4e0105c85cd9af2bf
45/47 (95.74%) ad1c5496c5246ab6a95cedcff7caad11
44/46 (95.65%) 9f890fe67151372e2dcb34d4329eacc6
47/50 (94.00%) 4873a11f76fa34e2db0abccdb2433fd9
47/50 (94.00%) c84b88f6c567b2da651ad683b39ceb2d
47/50 (94.00%) e89261b86d55db32261ea9117fefb1aa
46/49 (93.88%) c35bd0c599ba0a300139b86b793aba07
46/49 (93.88%) 543ba4927f92fcfbb8751bf80ca76fa0
45/48 (93.75%) 4420621a56aa4004080fe2bbc6b9afac
45/48 (93.75%) 4bce2da8de9d8de58b998e505780eb2d
44/47 (93.62%) d182095218493ed9337150d7765f48ab
43/46 (93.48%) 805df9572b345cc8691198ed1caba924
43/46 (93.48%) 27a8945a8d66151931ec94615c3dd925

Low Antivirus detection rate

AV detectionMD5 hash
1/50 (2.00%) 18c04e0cdf448fa3a59cdd63c0742a57
1/48 (2.08%) fd38cdf0a4811e5a87d65142d3d43c46
1/41 (2.44%) 6c3fd4e592eb5e0f5d8b4a2f76d9fa8e
2/50 (4.00%) 8ac33e46a40f31ee508ed0b19c676d5e
2/42 (4.76%) 8411742f15c17f3e1ac1a9fd3a53434c
3/41 (7.32%) 3bdb5a351fa58d6e7dbaa74ad8a97cef
4/51 (7.84%) 62bc5c1eb3b6462ed5789a6a8bbbc24e
4/51 (7.84%) 82ac3c90e033f1dfc32c58f7723d477d
4/51 (7.84%) aabfe40f715d861a2e099870a9870c87
4/51 (7.84%) 44b8a1a2636e3f94c979804425c4fb81
4/49 (8.16%) 18be5d4cfd69d4c1f57b37224b539958
4/46 (8.70%) 2213cf2755b9582b34737ab94b769295
4/42 (9.52%) 54ae04d8505e042f8349f7961adb7a69
5/51 (9.80%) e0e7c98b4ff6521ad1d47194bbd763bb
5/50 (10.00%) 47af3602ab486eb18783026f1c829f57

Top ten worst ZeuS C&Cs (by uptime)

UptimeZeuS C&CLevelSBLCountry
838:59:59saudeodontos.com.br2SBL215949-
652:56:07citserv20.co.vu4SBL218630-
652:46:301aurlaub-machen.de2SBL217305-
487:34:09www.technlip.com2SBL217785-
369:30:59www.marcasitehost.com.br2SBL218340-
325:55:42musculationexercice.com2SBL218507-
256:36:01bambubrasileiro.com2SBL218898-
207:11:06pubby.ru5Not listed-
182:42:32www.nikey.cn1SBL219067-
159:08:51neorandom.dothome.co.kr3SBL219187-

Top ten worst ZeuS C&Cs (by files online)

# of files onlineZeuS C&CLevelSBLCountry
3neorandom.dothome.co.kr3SBL219187-
3zingrad.ru4Not listed-
3olwwe.ru4SBL219714-
2www.nikey.cn1SBL219067-
2pubby.ru5Not listed-
265.200.132.204SBL216840-
2reznormakro.su5Not listed-
2182.71.19.1804SBL216828-
2222.29.197.2324SBL219755-
242.121.195.544SBL219337-

Top changed binaries (by different MD5)

# of different MD5ZeuS Binary
1396plusloinart.be/Ue7cHNm.exe
936www.carnesviba.com/ja/images/te.exe
472spec02.dircon.co.uk/s184DrY.exe
337msecure.su/citdl/newmixplfiit/cit.exe
288www.getmeorganizedasap.com/logs/fed/bot.exe
254advancewebsites.com/mVZtnnSu/DbQip.exe
224www.zuihouyi.com/l/setup4.exe
17812am.ro/0iZDFn1.exe
175pellicslotersa.ru/czl/clz.exe
168artevoz.com.br/9D0JP.exe

Top changes config files (by different MD5)

# of different MD5ZeuS Config
478au1-config.net/site/file.php
474au1-gate.net/citadel/file.php
473bulkstoragehost.com/bulk/store/file.php
470undeniablytransplant.com/yo/q.php
466viernon.com/sopelka3/file.php
192pellicslotersa.ru/czl/zlo.cl
13888.255.89.207/~bananas/2x/b2/cfg_tes2.bin
134hazjournallist.su/hjz/file.php
129testtexttost555888.com.tw/2x/b2/cfg_tes2.bin
127kitted-out.co.uk/magiczoom/kitt.bin

Antivirus dection rate

%# of ZeuS Binaries
100%65
90%710
80%681
70%547
60%577
50%787
40%709
30%994
20%1627
10%1211
0%695

ZeuS Config File Versions

Version# of URLsdistinct hashes (files)
CFG v100
CFG v2756727
Unknown00

Builder Version

# of ZeuS ConfigsBuilder Version
25082.0.8.9
16542.1.0.1
9682.0.7.0
3182.1.0.10
2141.2.7.19
1831.2.6.0
1201.2.5.0
1132.0.9.0
822.0.8.1
811.3.5.1
691.2.10.1
661.3.1.1
391.3.4.5
391.2.7.11
351.2.7.0
342.0.8.0
321.3.2.1

Average binary file size: 186'910 bytes
Average config file size: 63'671 bytes

Binaries submitted to Anubis: 8'611
Unsubmitted binaries: 0

Average binary Antivirus detection rate [MHR]: 41.4%
Average binary Antivirus detection rate [Virustotal]: 39.52%
Numbers of unique binaries (md5), which are currently NOT known to the Malware Hash Registry (MHR): 7'572
Numbers of unique binaries (md5), which are currently NOT known to Virustotal (VT): 8

For more information about the Malware Hash Registry (MHR) take a look at team-cymru.org.