Blocking the ZeuS Botnet(s)

The ZeuS Botnet got into the news last week with the announcement that it had led to significant financial losses in the UK, however it (or rather they since there are many botnets running the same trojan) is an infection that has been studied by a number of malware researchers.

The Swiss Security Blog abuse.ch is one such and it has been running a dedicated ZeuS Tracker site for some time now which lists the current active known ZeuS Comand and Control (C&C) hosts. Over the weekend we added this list (currently it is about 400 IP addresses) into ThreatSTOP as an option for our expert users and applied it to some of our own firewalls.

Since we do not have any ZeuS infected devices in our network we can’t tell directly whether it is working however I am pleased to say that as a by-product it seems to have significantly cut down on the spam we have received. This is not too surprising as it is our experience that compromised machines are used for many different things so a computer being both a spammer and a ZeuS C&C host is quite reasonable. Thus the fact that our exposure to spam has been reduced suggests that the hosts added are indeed bad ones and ones that should be blocked whether or not you care about ZeuS (though you really should care about ZeuS!).

I assume we will shortly move this list into our standard blocklist, however for now any of our subscribers who have expert mode enabled will be able to add it to their devices by checking the appropriate box in the configuration page.

PS we also added the “denyhosts” list a couple of weeks ago and that certainly works in cutting down on SSH cracking attempts. SSH cracking goes in waves but one particular ip address that I monitor sees about one SSH crack attempt every hour or so.