Finding Zeus/Zbot in your DNS logs

Regex your DNS logs with this to find hosts that are compromised.

^[a-z]{30,}\.biz

eg.

sdfiehfdkhfuwekjdsfoisdfhjehddfeers.biz
kfdijfkjeifjfgasufdkjfsdukwejkfhiushdf.biz
tqwehgnbzxctfdsowkjdhsfldgjkhmnlskhfsiu.biz

You’ll likely see some DGA style domain lookups for other top level domains as well. .biz has less false positives.

Comments are closed.