Posts tagged “Palantir”

Clustering Zeus Command and Control Servers Part 2

In Part 1 of “Clustering Zeus Command and Control Servers” I focused on clustering Zeus command and control servers based on three criteria: IP addresses, domain names, and email addresses used to register domain names. Using data drawn from ZeusTracker and MalwareDomainList, I observed that while a wide variety of criminals may set up disparate Zeus operations there may be “core” set of Zeus operations clustered around domain names registered five email addresses:,,, and Beyond the common email addresses and co-hosting on servers with the same IP addresses (which, in general are hosting a wide variety of malware) the exact nature of the relationships remains unclear.

It is clear that there are certain servers that facilitate an abundance of malicious activity. However, caution must be exercised when conclusions are drawn regarding specific (groups of) actors operating discrete segments of botnet command and control servers among a common malicious infrastructure. Malware groups are often the customers of other malware groups or work with affiliates to propagate and monetize malware. Different groups may propagate malicious domain names that belong to other groups, or different groups may propagate common malicious domains that are provided by an affiliate network. In addition, there are malicious networks that provide hosting services to malware distributors and botnet operators. Therefore, links that appear between a variety of actors may not be as solid as the technical data alone would lead one to believe.

In order to examine these relationships further, I’m going to layer some qualitative data and analysis on the Zeus data analyzed in Part 1. Based on information I obtained from some of the command and control servers listed below (this is deliberately vague), combined with common file paths and the presence of the same files on different combinations of these servers, I believe that the following command and control domain names constitute of cluster of malicious activity operated by the same set of operators: – – – – – – – – – – – – – – – – – – – – – Steven Lucas – – – – – – – – – – –

This post will explore the relationships between these domains and other malicious activity, primarily Zeus activity, undertaken by other domain names registered with the same email addresses in order to explore the theory that there is a “core” of Zeus activity. While the malicious activity primarily relates to Zeus there are some significant exceptions. The domain name was used as a command and control server for the Ambler botnet. For the period I observed the Ambler activity, over 5000 IP addresses from compromised computers, 99% of which were from Russia, checked in with the command and control server. In addition, I found that was acting as a SpyEye command and control server in addition to a Zeus command and control server.

This screenshot shows the relationship between the command and control domain names, the malicious activity associated with them and the IP address that the domain name resolves to. While there are several instances in which some domain names were co-hosted on the same server, nearly half were not. This makes sense as operators will seek to diversify their hosting in order to avoid a complete shutdown should one of their command and control servers be taken down or blocked. In fact, look at the time span, covering October 2009 to September 2010 we can see how the operators moved their operations from one server to the next.

This operators of this malware cluster tend to host their command and control servers in Eastern Europe and China.

In order to assess this clusters possible linkages within the broader malware ecosystem, the data set was expanded to include a) other domain names registered with the same email addresses and b) the IP addresses of the servers associated with the malicious activity imported from ZeusTracker and MalwareDomainList. This extends the geographic scope of the hosting servers into North America, as well as the previous locations in Eastern Europe (UA, RU, CZ, MD) and South East Asia (CN, TW).

Looking at the relationships between the domains we see that there are two interesting clusters, and arguable a few smaller ones as well. These represent concentrations of servers registered with the same email addresses. The two main clusters are domain names registered to: and

An interesting fact about the “Lucas” cluster becomes apparent when you look at the time line of malicious activity (the date when the domain name was added to ZeusTracker or MalwareDomainList). The Lucas cluster is primarily active January – November 2009 (although there is some subsequent activity) while very few domains registered with other email addresses are active.

This is followed by the introduction of the “Kneber” domains which begin on the tail end of the Lucas cluster’s activity. The Kneber domain names begin in November 2009 and continue into October 2010. While the domain names registered with the remaining email addresses do also roughly follow a similar pattern of beginning while the previous one tails off, Kneber remains fairly constant once it begins.

In Part 1, I showed that there are clusters of Zeus activity that around a set of email addresses used to register domain names. Using qualitative data from my investigations, I’ve found a Zeus cluster that uses domain names registered by some, but not all, of these key email addresses including and This cluster has transitioned through domain names registered by a variety of email addresses over the last year. When the data set is expanded to include all the domain names registered by these email addresses in ZeusTracker and MalwareDomainList we see the same pattern of transition play out. This supports the theory that while Zeus is a toolkit that allows anyone to create a botnet, there is a “core” of Zeus activity.

However, this cluster of 16 domain names is only a small portion of the “core” Zeus activity associated with five key email addresses. According to DomainTools, about 1839 domain names in total: is associated with about 717 domains is associated with about 449 domains is associated with about 110 domains is associated with about 263 domains is associated with about 300 domains

These email addresses have been used to registered a variety of domain names associated with all manner of malicious activity, not exclusively Zeus activity. While this could be part of a centralized effort to distribute command and control servers to be operated by sub-groups, I am not sure that it is best to attribute all the malicious activity across these domains to the same set of actors. Even if these domain names represent the efforts of the same set of actors, they appear to be distributed to smaller groups of operators. These operators don’t necessarily have connections with others managing domain names hosted on the same infrastructure and/or registered with the same email addresses.

However, this simple clustering method does provide us with concentrations of malicious activity that should be investigated further. The introduction of qualitative data provides the ability to probe the operations of specific groups further. In the future I’d like to acquire a list of all 1800 domain names and layer on historical hosting data to see if any further patterns emerge.

Clustering Zeus Command and Control Servers

Recently, more than 150 individuals around the world have been arrested on bank fraud related charges after using the Zeus malware to acquire credentials that enabled the criminals to steal more than $70 million dollars. Those arrested include five Ukrainian individuals that are believed to be the masterminds behind the operation. Brian Krebs notes that there is a correlation between the decreasing number of active Zeus command and control servers and the timing of the arrests.

This is interesting because while “the media” often portrays Zeus as “a botnet” the security community rightly points out that Zeus is a malware toolkit not “a” botnet and that there are multiple Zeus botnets. However, what explains the decrease in Zeus command and control servers with the disruption of just one Zeus operation? While it is certainly true that any aspiring criminal can acquire Zeus and begin his or her own operation, is there a Zeus “core” that is organized and connected through links the criminal underground? Having just returned from Palantir’s Govcon feeling inspired I imported Zeus data from the MalwareDomainList and the ZeusTracker to explore the links between Zeus command and control servers.

While there are definitely more indicators, I focused on three: IP addresses, domain names, and email addresses used to register domain names. The IP addresses represent the servers that are used to host command and control servers. One such server may host multiple command and control servers allowing one to cluster malicious domain names that are hosted on the same server. Domain names are useful indicators but essential have a one-to-one relationship so it is more valuable to cluster them by the email address used to register the domain name. Using these indicators the Zeus command and control domain names can be clustered based on co-hosting (on the same IP address) and mutual registration (same email address). This may provide some indication if there is a “core” or Zeus activity.

However, there are significant limitations to bear in mind. Malicious hosting services are available in the criminal underground, so while a single server may be a hotspot of malware activity, it may not be directly related. On the other hand, some command and control servers may be using fast flux which would negate clustering by IP address altogether. Some command and control servers are based on IP addresses only and do not have domain names associated with them. On the other hand, a single domain name may be used for a variety of purposes. (For example, I have found a domain name that hosts both a Zeus and a SpyEye command and control server, despite the reported rivalry between them). In addition, the botnet operators may register a variety of domain names from a variety of email addresses. In such cases, clustering by email addresses would not yield significant links. Finally, there may be suppliers of domain names in them malware underground that register domain names with email addresses under their control, but sell the domains names to other criminals. In such cases, while the email address may be the same, the operators of botnets may not be directly related.

The data set used contains 5,907 domain names (control servers) and 4,505 IP addresses (servers) drawn from ZeusTracker and MalwareDomainList (where the activity on MDL contains “zeus”). Here, 4,505 IP addresses have been geocoded (not all were successfully geocoded) and displayed using Palantir’s heatmap. While there is Zeus activity hosted all over the world, there are noticeable concentrations in Europe, the Unites States and China.

This cluster on the Palantir graph represents the relationship between 5,907 domain names (control servers) and 4,505 IP addresses (servers). This initial display highlights a few interesting indicators. There are several clusters that are visually apparent which show multiple domain names hosted on one server (there are three prominent “star” clusters and several smaller ones) and there is a discernible “tree” structure in the center indicating relationships between single domain names that have been hosted on multiple IP addresses. And we can see thaht there are some familiar IP addresses used to register multiple domain names, the most notable being “” which is the email addresses behind the Kneber botnet.

Zooming in to some of the clusters reveals some interesting behaviors. In this example, one server is hosting 60 domain names. These 60 domain names were registered with 17 different email addresses. And when some additional information from MDL is brought in, we see that most of the domains are hosting a Zeus executable with the same name “patch.exe” and that there is a naming convention. For example, “” was registered with “” while “” was registered with “”. These domain names were all added to MDL around the same time and despite the multiple email addresses it does appear as if this is a single campaign.

In order to explore the question of whether or not there is a Zeus “core” of some sort, I filtered the domain names and IP addresses to those registered with the top five appearing email addresses (with the exception of which is the email address given for those who have used this domain privacy service). Domain names registered with these five email addresses account for 6.09% (360/5907) of the Zeus command and control servers. However, this number increases to 17.9% (360/2004) when the number of control servers is restricted to those that contain email data. In addition to several “star” clusters as well a “tree” in the middle of the graph, we see that these email addresses have been actively propagating Zeus for approximately one year. (The time is derived from when the domain is added to either the MDL or ZeusTracker lists, which is used a rough indicator of when a domain became active).

When the selection is restricted to only those domain names registered by “” we can see that these domains are represented across most of the clusters indicating that many of these domain are co-hosted on the same IP addresses with those registered by our other top email addresses. In addition, the “kneber” domain names are active through this year long period of data.

While a wide variety of criminals may set up disparate Zeus operations, clustering the Zeus command and control infrastructure in this way indicates that there is some evidence to support claims of a “core” set of Zeus operations. This may be one explanation for the observed decrease in active Zeus command and control servers.

However, this data only reflects only the relationships between IP addresses, domain names and the email addresses used to register the domain names. There are a variety of additional factors, especially those related to analysis of Zeus malware binaries that may support these linkages, provide additional linkages or challenge these linkages. Historical data showing coordinated movements to new IP addresses and name servers would provide additional means to cluster command and control servers with a higher degree of accuracy.

In Part 2 of this post I will broaden the analysis in order to see if the tentative conclusion hold with the introduction of additional data.