Monday, September 15, 2014

ZeuS Botnet - aticiinsaat.org

ZeuS 2.0.8.9 banking trojan botnet hosted on aticiinsaat.org - 159.253.36.219 (Turkey)

aticiinsaat.org. 8878 IN A 159.253.36.219
Domain Name:ATICIINSAAT.ORG
Domain ID: D171358345-LROR
Creation Date: 2014-03-11T11:26:47Z
Updated Date: 2014-05-11T03:46:02Z
Registry Expiry Date: 2015-03-11T11:26:47Z
Sponsoring Registrar:PDR Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
inetnum:        159.253.36.0 - 159.253.36.255
remarks:        INFRA-AW
netname:        NETINTERNET

Admin login:  

Home:
70 bots (many CN, mixed world installs)
13k reports
OS Stats:
We still see WinXP as top OS, however Win7 and Win7 64bit are catching up.



This machine had another ZeuS/Citadel on it as well. You can see it calling home to the gate.php
(This botnet is offline now too)



Example of banking credentials being stolen from a victim. Note the HTTPS in the url.
TLS/SSL does not help here. ZeuS malware has hooked the browser process and stolen the credentials before the TLS/SSL layer. 






No comments:

Post a Comment