I have a set of URL's which might be Zeus hosts / C&C servers since my security appliance says so. Is there a way to check if these really belong to Zeus?
3 Answers
Providing that you are looking for information already analyzed, and your question is not about the technical ways to identify a Zeus C&C Server, you can look at the following places:
- malwaredomainlist.com
- malwaredb.malekal.com
- exposedbotnets.com
- scumware.org
- malc0de.com
- cybercrime-tracker.net
- vxvault.siri-urz.net
- nothink.org
- botnet-tracker.blogspot.ch
- atlas.arbor.net
- marworm.com
- zeustracker.abuse.ch (Zeus botnet tracker)
- alienvault.com
Note that you can also use those places to look for many other threats / malicious activities than Zeus.
- 2,728
- 14
- 25
First, you can look at the abuse.ch zeustracker list.
Second, note that the abuse.ch list is the primary source for the iblocklist.com zeus list. You may also wish to look through some of the many other malware lists on iblocklist.com to check for other malware sites.
Separately, you can check to see on what basis your security appliance is making the determination - is it using a list (perhaps one of these)? If it is using a list, which one, and how often does it update it? Is it using traffic analsis (like Snort would) instead?
- 9,785
- 2
- 23
- 51
When I get alerts of possible zeus infection from the security appliances, this is what I usually do:
- check the URL with zeustracker
- if the URL is not in the zeustracker db, check on virustotal
- if there is detections, likely this is a malicious connection
- Run a tcpdump on the connection to check the packets
zeustracker has a guide showing how to identify zeus malware, go take a look
- 441
- 2
- 8