Recently I blogged that we had added the abuse.ch ZeuS Tracker botnet list as a block list source. Last week we confirmed that it worked by seeing that our customers had connections to addresses on that list that were blocked by ThreatSTOP, and which came from systems later confirmed to be infected.
As a result, and because botnet activity seems to be on the increase in recent days, we have now created a dedicated "BOTNETS" block list that includes the addresses from ZeuS and from our other botnet feeds. As of a few minutes ago the entire feed is 2097 ip addresses of which about a fifth (431) are from the ZeuS feed. These numbers are going to vary over time as we will update this list every two hours.
It is critical to note that our list has success because bots are extremely hard to detect using traditional methods - this report from last year states that antivirus programs are not good at all:
” installing an anti-virus product and maintaining it up to date reduces the probability to get infected by Zeus by 23%, compared to running without an anti-virus altogether. The effectiveness of an up to date anti virus against Zeus is thus not 100%, not 90%, not even 50% – it’s just 23%.”
Because of the way the ZeuS bot "calls home" - DNS lookups to any one of (at time of writing) 1431 domains, most of which are so-called fastflux domains that change the addresses they resolve to every few minutes, followed by encrypted (HTTPS) communication with a C&C host - usually proxied - network level protection that works on signature analysis is also ineffective. It may be possible to identify that an SSL session with youwillfindtheresomethinginterestinf.com or dadadsaaa.wapdodoit.ru (two of the domains currently used by ZeuS) is suspect, but how about yourgoogleanalytics.com (another one of the currently active domains)?
The simple answer is that no IPS, deep packet inspector or web traffic analyzer will be able to block these communications in time either, all they may do is raise an alert that some traffic just left the organization and while you may manage to detect and remove the bot after it has called home (though as this article notes ZeuS changes names etc. frequently so that can be hard).
The statistics above also show something else. ZeuS uses over 1400 domains at any one time but those domains resolve down to just 400-450 ip addresses. Any modern firewall can block 450 or so addresses, indeed that list is small enough that routers and layer 3 switches could too, but blocking DNS lookups to 1400 or more domains is much harder since it is difficult for a firewall to determine that a particular ip address is one that is resolved by a ZeuS owned domain and because the name space of domains is so much larger than the ip address space.
Any ThreatSTOP subscriber can and should use our new BOTNETS list on firewall that has significant outbound traffic to the Internet from users behind it. If you aren't yet a ThreatSTOP subscriber then this is yet another reason why you should be.