In Part 1 of “Clustering Zeus Command and Control Servers” I focused on clustering Zeus command and control servers based on three criteria: IP addresses, domain names, and email addresses used to register domain names. Using data drawn from ZeusTracker and MalwareDomainList, I observed that while a wide variety of criminals may set up disparate Zeus operations there may be “core” set of Zeus operations clustered around domain names registered five email addresses: email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org and email@example.com. Beyond the common email addresses and co-hosting on servers with the same IP addresses (which, in general are hosting a wide variety of malware) the exact nature of the relationships remains unclear.
It is clear that there are certain servers that facilitate an abundance of malicious activity. However, caution must be exercised when conclusions are drawn regarding specific (groups of) actors operating discrete segments of botnet command and control servers among a common malicious infrastructure. Malware groups are often the customers of other malware groups or work with affiliates to propagate and monetize malware. Different groups may propagate malicious domain names that belong to other groups, or different groups may propagate common malicious domains that are provided by an affiliate network. In addition, there are malicious networks that provide hosting services to malware distributors and botnet operators. Therefore, links that appear between a variety of actors may not be as solid as the technical data alone would lead one to believe.
In order to examine these relationships further, I’m going to layer some qualitative data and analysis on the Zeus data analyzed in Part 1. Based on information I obtained from some of the command and control servers listed below (this is deliberately vague), combined with common file paths and the presence of the same files on different combinations of these servers, I believe that the following command and control domain names constitute of cluster of malicious activity operated by the same set of operators:
freehost21.tw – firstname.lastname@example.org – 22.214.171.124
bstservice.biz – email@example.com – 126.96.36.199
fivefingers31.org – firstname.lastname@example.org – 188.8.131.52
coolparts31.tw – email@example.com – 184.108.40.206
fhjslk21.com.tw – firstname.lastname@example.org – 220.127.116.11
bananajuice21.net – email@example.com – 18.104.22.168
cpadm21.cn – Dalas_Illarionov@yahooo.com – 22.214.171.124
gamecp12.cn – GameNet2010TX@yahoo.com – 126.96.36.199
admcp21.cn – Maria_lucas_2000@yahoo.com – 188.8.131.52
subaruservice.cn – firstname.lastname@example.org – 184.108.40.206
elektronservice.net – Steven Lucas email@example.com – 220.127.116.11
promo-standart.info – MillieDiaz4@aol.com – 18.104.22.168
cpadm21.org – firstname.lastname@example.org – 22.214.171.124
decp31.org – email@example.com – 126.96.36.199
coolparts31.org – firstname.lastname@example.org – 188.8.131.52
sosanni.com – email@example.com – 184.108.40.206
This post will explore the relationships between these domains and other malicious activity, primarily Zeus activity, undertaken by other domain names registered with the same email addresses in order to explore the theory that there is a “core” of Zeus activity. While the malicious activity primarily relates to Zeus there are some significant exceptions. The domain name sosanni.com was used as a command and control server for the Ambler botnet. For the period I observed the Ambler activity, over 5000 IP addresses from compromised computers, 99% of which were from Russia, checked in with the command and control server. In addition, I found that coolparts31.tw was acting as a SpyEye command and control server in addition to a Zeus command and control server.
This screenshot shows the relationship between the command and control domain names, the malicious activity associated with them and the IP address that the domain name resolves to. While there are several instances in which some domain names were co-hosted on the same server, nearly half were not. This makes sense as operators will seek to diversify their hosting in order to avoid a complete shutdown should one of their command and control servers be taken down or blocked. In fact, look at the time span, covering October 2009 to September 2010 we can see how the operators moved their operations from one server to the next.
This operators of this malware cluster tend to host their command and control servers in Eastern Europe and China.
In order to assess this clusters possible linkages within the broader malware ecosystem, the data set was expanded to include a) other domain names registered with the same email addresses and b) the IP addresses of the servers associated with the malicious activity imported from ZeusTracker and MalwareDomainList. This extends the geographic scope of the hosting servers into North America, as well as the previous locations in Eastern Europe (UA, RU, CZ, MD) and South East Asia (CN, TW).
Looking at the relationships between the domains we see that there are two interesting clusters, and arguable a few smaller ones as well. These represent concentrations of servers registered with the same email addresses. The two main clusters are domain names registered to: firstname.lastname@example.org and email@example.com.
An interesting fact about the “Lucas” cluster becomes apparent when you look at the time line of malicious activity (the date when the domain name was added to ZeusTracker or MalwareDomainList). The Lucas cluster is primarily active January – November 2009 (although there is some subsequent activity) while very few domains registered with other email addresses are active.
This is followed by the introduction of the “Kneber” domains which begin on the tail end of the Lucas cluster’s activity. The Kneber domain names begin in November 2009 and continue into October 2010. While the domain names registered with the remaining email addresses do also roughly follow a similar pattern of beginning while the previous one tails off, Kneber remains fairly constant once it begins.
In Part 1, I showed that there are clusters of Zeus activity that around a set of email addresses used to register domain names. Using qualitative data from my investigations, I’ve found a Zeus cluster that uses domain names registered by some, but not all, of these key email addresses including firstname.lastname@example.org and email@example.com. This cluster has transitioned through domain names registered by a variety of email addresses over the last year. When the data set is expanded to include all the domain names registered by these email addresses in ZeusTracker and MalwareDomainList we see the same pattern of transition play out. This supports the theory that while Zeus is a toolkit that allows anyone to create a botnet, there is a “core” of Zeus activity.
However, this cluster of 16 domain names is only a small portion of the “core” Zeus activity associated with five key email addresses. According to DomainTools, about 1839 domain names in total:
firstname.lastname@example.org is associated with about 717 domains
email@example.com is associated with about 449 domains
firstname.lastname@example.org is associated with about 110 domains
email@example.com is associated with about 263 domains
firstname.lastname@example.org is associated with about 300 domains
These email addresses have been used to registered a variety of domain names associated with all manner of malicious activity, not exclusively Zeus activity. While this could be part of a centralized effort to distribute command and control servers to be operated by sub-groups, I am not sure that it is best to attribute all the malicious activity across these domains to the same set of actors. Even if these domain names represent the efforts of the same set of actors, they appear to be distributed to smaller groups of operators. These operators don’t necessarily have connections with others managing domain names hosted on the same infrastructure and/or registered with the same email addresses.
However, this simple clustering method does provide us with concentrations of malicious activity that should be investigated further. The introduction of qualitative data provides the ability to probe the operations of specific groups further. In the future I’d like to acquire a list of all 1800 domain names and layer on historical hosting data to see if any further patterns emerge.