Block all traffic to and from the dreaded Zeus Botnet Malware on your PC .

[majithia23]

What is Zeus ?

ZeuS (also known as Zbot / WSNPoem) is a crimeware kit, which steals credentials from various online services like social networks, online banking accounts, ftp accounts, email accounts and other (phishing). The web admin panel can be bought for 700$ (source: RSA Security 4/21/2008) and the exe builder for 4'000$ (source: Prevx 3/15/2009).

The crimeware kit contains the following modules:

• A web interface to administrate and control the botnet (ZeuS Admin Panel)
• A tool to create the trojan binaries and encrypt the config file (called exe builder)

Normaly, a ZeuS host consists of three componets / URIs:

• a config file (mostly with filextension *.bin)
• a binary file which contains the newest version of the ZeuS trojan
• a dropzone (mostly a php file)

Some features of ZeuS are:

• Capture credentails out of HTTP-, HTTPS-, FTP- and POP3-traffic or out of the bot's protected storage (PStore).
• Group the infected clients into different botnets
• Integrated SOCKS-Proxy
• Web form to search the captured credentials
• Encrypted config file
• Function to kill the Operating System (see abuse.ch: "When a Botmaster goes REALLY mad")

ZeuS Tracker :: ZeuS blocklist

With the ZeuS Tracker you are able the generate a IP- and domain-blocklist which contains all ips / domains which are currently used as Command&Control server (C&C) by the ZeuS crimeware. Both blocklists will be generated in text format. This alows you to import the blocklist into your firefwall or corporate webproxy to block all traffic to the malicious ZeuS C&C servers.

>ZeuS domain blocklist

The ZeuS domain blocklist contains domains which are currently beening tracked on the abuse.ch ZeuS Tracker. The blocklist contains domains which are currently online aswell as all domain which are offline at this time. You can use this list to block the access to the listed domains on your web proxy or on your firewall. Just click on the link below to generate an up-to-date blocklist in text-format:

download ZeuS domain blocklist

>ZeuS IP blocklist

The ZeuS IP blocklist contains ip addresses (IPv4) which are currently beeing tracked on the abuse.ch ZeuS Tracker. You can use this list to block the access to the listed ip addresses on your web proxy or on your firewall. Just click on the link below to generate an up-to-date blocklist in text-format:

download ZeuS IP blocklist

>ZeuS combined blocklist for Squid

The IP blocklist for Squid includes all ZeuS IPs and domain names. The blocklist is a text file in the Squid format and can be used to block well known ZeuS C&Cs at Squid Webproxy:

download ZeuS combined blocklist for Squid

>ZeuS IP blocklist for iptables

The IP blocklist for iptables includes all ZeuS IPs. The blocklist is a bash script which will add a DROP rule to your iptables to drop traffic from well known ZeuS C&Cs:

download ZeuS IP blocklist for iptables

>ZeuS domain blocklist for Windows (Hosts-File)

The domain blocklist for Windows includes all ZeuS domains. The blocklist is a text file in the Windows Host-file format which points the ZeuS domains to localhost (127.0.0.1):

download ZeuS domain blocklist for Windows (Hostfile)

>ZeuS combined blocklist for unix (hosts.deny)

The combined blocklist for unix can by copied to /etc/hosts.deny to block bad traffic from and to malicious ZeuS C&C servers:

download ZeuS combined blocklist for Unix (Hosts.deny)

Zeus Tracker