Finding Zeus Infected Hosts

Here are a few tricks for finding crimeware hosts on your network.

Zeus in DNS or Proxy Logs:

Look for Domain = *.biz

and regex for “^[a-zA-Z0-9]{30,}\.biz$”

Infected hosts will have lots of lookups to many domains. Utilizing .biz speeds up your search as that TLD is seen less often on most networks than .com or .net.

Zeus Constant Traffic to Google:

HTTP URI = google.com/webhp OR www.google.com.sg

and regex on the URI field for “^(www\.)?google\.com(\.sg)?\/webhp$”

Investigate hosts that match this query more than 50 times in a 24 hour period.

Comments are closed.