ZeuS Tracker :: DNS Service

About the ZeuS Tracker DNS Service

The ZeuS Tracker DNS Service is a lookup service similar to a nomral DNS blackhole list (DNSBL). Normally, such DNSBLs are used for spam filtering on mailgateways. But the ZeuS Tracker DNS Service has a different purpose: It was developed to give IT professionals the possibility to check an IP address or a domain name against the ZeuS Tracker IP or Domain Blocklist easily. Additionally, the ZeuS Tracker DNS Service provides an advanced lookup which will return additional of information about a ZeuS IP address or domain name listed on ZeuS Tracker.

Warning: Do not use the ZeuS Tracker DNS Service for mail filtering! ZeuS domains which are tracked in the ZT will be automaticly included in SURBL. So if you want to check your mails against malicious ZeuS domains please use SURBL. If you ignoring this warning your IP address will be banned from the ZT DNS Service!

Special notes / terms of usage

If you are using the ZeuS Tracker DNS Service in a automated or non-automated way, you are bounded to the following conditions and terms:

If you are violating the terms and contitions outlined above, your IP address will be banned from the ZT DNS service.

Usage

The ZT DNS Service is designed for quick lookups. For this purpose the DNS service supports two types of lookups: TXT and A queries. An A query will just provide you the information wheter an IP address or domain name is listed on the ZeuS Tracker by returning 127.0.0.2 while a TXT query will show you more information like SBL status, country, asnumber etc. The DNS zones (IPBL and URIBL) will be rebuilded automaticly every 15 minutes.

ipbl.zeustracker.abuse.ch (Lookup an IP address)

The zone ipbl.zeustracker.abuse.ch is designed for look up an IP address. Note that it is common to look up an IP address in the reverse order. In the example below we use the IP address 68.222.251.128 which becomes 128.251.222.68:

The format and output for a DNS A query is as follows (while the response 127.0.0.2 means that the domain is listed on ZeuS Tracker):

$ dig +short 128.251.222.68.ipbl.zeustracker.abuse.ch A
127.0.0.2

The format and output for a DNS TXT query is as follows:

$ dig +short 128.251.222.68.ipbl.zeustracker.abuse.ch TXT
"68.222.251.128 | Not listed | 6389 | US | online | 4 | 3 | 2009-09-25 06:50:05"

...while the format of the TXT response looks like this:

"HOST | IP_ADDRESS | SBL_STATUS | ASNUMBER | COUNTRY | STATUS | LEVEL | FILES_ONLINE | DATEADDED"

Due to the fact, that one and more domain names can point to a single IP address, the "FILES_ONLINE" value will be calculated. Let's make a example:

To check the IP address 123.124.125.126 the query would like like this:

$ dig +short 126.125.124.123.ipbl.zeustracker.abuse.ch TXT

In this case the answer to this TXT query will contain a value of 5 FILES_ONLINE.

Note: If you get an empty response from the ZeuS Tracker DNS service, it means that the queried domain name is not listed on ZeuS Tracker. Due to the fact, that a C&C server does not have to be accessible though a domain name, the HOST value can contain a domain or an IP address.

uribl.zeustracker.abuse.ch (Lookup a Domain)

The zone uribl.zeustracker.abuse.ch is designed for look up a domain name. URIBL is an abbreviation for "Uniform Resource Identifier Blacklist". It is similar to a normal DNS Blacklist (DNSBL) but it lists domain names rather than IP addresses. The usage and format of the query/output is that same as for the IPBL. In the example below we use the domain dantor777.com:

The format and output for a DNS A query is as follows (while the response 127.0.0.2 means that the domain is listed on ZeuS Tracker):

$ dig +short dantor777.com.uribl.zeustracker.abuse.ch A
127.0.0.2

The format and output for a DNS TXT query is as follows:

$ dig +short dantor777.com.uribl.zeustracker.abuse.ch TXT
"dantor777.com | 91.212.220.118 | Not listed | 49365 | RU | online | 4 | 3 | 2009-10-04 13:06:02"

...while the format of the TXT response looks like this:

"HOST | IP_ADDRESS | SBL_STATUS | ASNUMBER | COUNTRY | STATUS | LEVEL | FILES_ONLINE | DATEADDED"

Note: If you get an empty response from the ZeuS Tracker DNS service, it means that the queried domain name is not listed on ZeuS Tracker.

Questions?

If you have questions don't hesitate to drop me a line using the contact form.