Monday, September 15, 2014

ZeuS Botnet -

ZeuS banking trojan botnet hosted on - (Turkey) 8878 IN A
Domain ID: D171358345-LROR
Creation Date: 2014-03-11T11:26:47Z
Updated Date: 2014-05-11T03:46:02Z
Registry Expiry Date: 2015-03-11T11:26:47Z
Sponsoring Registrar:PDR Ltd. d/b/a (R27-LROR)
inetnum: -
remarks:        INFRA-AW
netname:        NETINTERNET

Admin login:  

70 bots (many CN, mixed world installs)
13k reports
OS Stats:
We still see WinXP as top OS, however Win7 and Win7 64bit are catching up.

This machine had another ZeuS/Citadel on it as well. You can see it calling home to the gate.php
(This botnet is offline now too)

Example of banking credentials being stolen from a victim. Note the HTTPS in the url.
TLS/SSL does not help here. ZeuS malware has hooked the browser process and stolen the credentials before the TLS/SSL layer.