ZeroAccess C&C / Dropzone


These domains have now been taken from me and sinkholed by Microsoft.

;; ANSWER SECTION: 171043 IN    NS 171043 IN    NS

 ;; ANSWER SECTION: 10 IN CNAME 172800 IN NS 172800 IN NS


ZeroAccess does use a fixed, non Peer 2 Peer server to report information to. It might be a Command and Control server as some binary encoded stuff is returned...  I have sinkholed one of the domains (yes there are more) and got some statistics about a part of the network. Though the domain doesn't resolve as expected...

I have seen very little talk about this aspect of ZeroAcces, so I decided to write about it.

If you are not aware of what ZeroAccess is or how it works please read the following great paper by Naked Security.

The project

I've been doing a bit of work on a project to write a Python bot that can blend-in as a ZeroAccess bot in its UDP Peer 2 Peer network. The above paper helped a lot along the way!

Recently I started looking at this project again and fired up some suspended infected VMs in order to continue my work. This is when I noticed the following:

Failing DNS queries to a domain called: I observed the Bot doing this before starting its Ad-clicking campagne.. So assumed it was related to the malware itself.

I did not see this traffic untill ZA received some update using its P2P network. I suspect it is part of its adclicking module as directy after this it will also start visiting ad related urls. 


So... the domain was not registered, odd. So I bought it and pointed it to a new VPS. I see a resonable amount of traffic, but not as much as I thought I would. Some estimate the botnet to be larger than 2milion bots big. Surely I should be seeing 100.000 of hits per hour? Well I am not. 


Neither of my infected VM's seem to be visiting my Sinkhole. I see DNS look-ups all the time. But when I check the accesslog, MY ip is not in there. At first I thougth that something must trigger the bot to actually visit the domain. Later when I was running Urlsnarf I noticed the bot WAS visiting. I was excited and grep'd the Sinkhole for my IP again... but it wasn't there. 

Looking closer I noticed that the destination IP the bot was visiting was different from that of my Sinkhole! First thought: Some one took over my Sinkhole. But no. None of that.
The bot either does something with the IP it receives back from its DNS query or there is a hardcoded IP in there. As you can see ZeroAccess doesnt even wait for its DNS response... So it must be hardcoded.

In the end I have concluded that it is hardcoded. I took a clean VM. Gave it non-existend DNS servers and infected it with ZeroAccess. I ran FakeDNS in order to return as IP record belonging to The bot still visited the same IP as before!

Sinkhole how?

Fact: my infected VMs are visiting 'my sinkholed domain' on a different IP. How is it possible that I still see traffic on my Sinkhole VPS?

My theory is that some bots are going through transparent proxies that will make the HTTP traffic go to its correct destination. 


Domain:                            ResolveTo:                               ConnectTo:** (Rackspace) (AS47869 NETROUTING-AS)****          (AS49981 WORLDSTREAM)

*update 2013/09/23:**                   (AS49981 WORLDSTREAM)

*Whois says it is a sinkhole. Should see the same traffic as me. 
**My Sinkhole


The URL is a large base64 encoded string that translate to something like this:


v = version
id = (?) not Bot-ID it changes too much.
aid = Advertisement ID (?)
sid = Privilege (?)
os = operating system based on the NT version
fp = Flash Plugin
ad = Admin (?)

Sinkhole Statistics:

Requests per day:

26/Aug/2013  282271
27/Aug/2013  290942
28/Aug/2013  297248
29/Aug/2013  317735
30/Aug/2013  308136
31/Aug/2013  286408
01/Sep/2013  302838
02/Sep/2013  301562
03/Sep/2013  305904
04/Sep/2013  253401
05/Sep/2013  204235
06/Sep/2013  202459

Unique IP per day:

26/Aug/2013 13195
27/Aug/2013 13082
28/Aug/2013 12871
29/Aug/2013 13228
30/Aug/2013 12994
31/Aug/2013 12583
01/Sep/2013 12320
02/Sep/2013 12808
03/Sep/2013 13382
04/Sep/2013 13259
05/Sep/2013 13389
06/Sep/2013 13099

More statistics will come, thinking about how to make 'accurate' stats. I do not see a bot-ID so I have to trust source IP. But I already see many IPs with multiple bots behind it.. argggg *help* 

Sample of my current output (50 / 3,800,000):

72.168.96.xx    08/Sep/2013:05:19:34    v=6.0   id=a9543429     aid=30585       sid=0   os=6.1-64       fp=11.8.800.94  ad=1
50.57.104.xx    08/Sep/2013:05:19:34    v=6.0   id=e95f964f     aid=30500       sid=8   os=5.1-32       fp=11.8.800.94  ad=1 08/Sep/2013:05:19:34    v=6.0   id=f002a4ab     aid=30500       sid=6   os=6.1-32       fp=0    ad=0   08/Sep/2013:05:19:36    v=6.0   id=26eac959     aid=30549       sid=1   os=6.1-32       fp=11.8.800.94  ad=1 08/Sep/2013:05:19:36    v=6.0   id=4aece309     aid=30585       sid=0   os=5.1-32       fp=0    ad=0
50.56.58.xx     08/Sep/2013:05:19:36    v=6.0   id=00000000     aid=10000       sid=0   os=6.1-64       fp=11.8.800.94  ad=1
112.198.77.xx   08/Sep/2013:05:19:38    v=6.0   id=558eccda     aid=30501       sid=10  os=6.1-32       fp=11.8.800.94  ad=1   08/Sep/2013:05:19:38    v=6.0   id=79e401a6     aid=30549       sid=0   os=6.0-32       fp=11.8.800.94  ad=1
183.91.10.x     08/Sep/2013:05:19:39    v=6.0   id=62773f89     aid=30294       sid=0   os=6.1-32       fp=11.8.800.94  ad=1 08/Sep/2013:05:19:39    v=6.0   id=4ed99176     aid=30566       sid=6   os=6.1-32       fp=11.8.800.94  ad=1   08/Sep/2013:05:19:39    v=6.0   id=5dfd3a0f     aid=30566       sid=2   os=6.1-32       fp=11.8.800.94  ad=1
50.57.190.xx    08/Sep/2013:05:19:39    v=6.0   id=cca3b301     aid=51019       sid=5   os=5.1-32       fp=11.8.800.94  ad=1    08/Sep/2013:05:19:39    v=6.0   id=60e31976     aid=30538       sid=0   os=6.1-64       fp=11.4.402.278 ad=1   08/Sep/2013:05:19:39    v=6.0   id=9402af2e     aid=30445       sid=0   os=6.0-32       fp=11.8.800.94  ad=1   08/Sep/2013:05:19:40    v=6.0   id=8ebe4807     aid=10000       sid=0   os=6.1-64       fp=11.7.700.169 ad=1
67.142.182.xx   08/Sep/2013:05:19:40    v=6.0   id=f00345c1     aid=51061       sid=5   os=6.0-64       fp=11.8.800.94  ad=1   08/Sep/2013:05:19:41    v=6.0   id=1e32676a     aid=30398       sid=0   os=5.1-32       fp=11.8.800.94  ad=1   08/Sep/2013:05:19:41    v=6.0   id=182ff12a     aid=30549       sid=2   os=6.1-64       fp=11.8.800.94  ad=1   08/Sep/2013:05:19:42    v=6.0   id=736a231d     aid=30435       sid=0   os=5.1-32       fp=11.8.800.94  ad=1   08/Sep/2013:05:19:42    v=6.0   id=ed79bc76     aid=30532       sid=1   os=6.1-32       fp=11.8.800.94  ad=1   08/Sep/2013:05:19:42    v=6.0   id=d4691365     aid=30532       sid=1   os=6.1-64       fp=   ad=1   08/Sep/2013:05:19:42    v=6.0   id=2dbd22d6     aid=30585       sid=0   os=6.0-32       fp=11.8.800.94  ad=1
141.105.97.xx   08/Sep/2013:05:19:42    v=6.0   id=731746bd     aid=30443       sid=4   os=5.1-32       fp=11.6.602.180 ad=1   08/Sep/2013:05:19:42    v=6.0   id=29d0edb1     aid=30516       sid=1   os=6.0-32       fp=11.8.800.94  ad=1   08/Sep/2013:05:19:43    v=6.0   id=7445c17e     aid=30549       sid=1   os=6.1-64       fp=11.8.800.94  ad=1   08/Sep/2013:05:19:43    v=6.0   id=00000000     aid=10000       sid=0   os=6.1-64       fp=11.8.800.94  ad=1 08/Sep/2013:05:19:44    v=6.0   id=62364193     aid=30421       sid=2   os=6.1-32       fp=11.8.800.94  ad=0   08/Sep/2013:05:19:45    v=6.0   id=16fc44a2     aid=30435       sid=6   os=6.1-32       fp= ad=1  08/Sep/2013:05:19:47    v=6.0   id=83d3f7a3     aid=30500       sid=6   os=6.1-64       fp=11.8.800.94  ad=1
37.8.104.xx     08/Sep/2013:05:19:47    v=6.0   id=c324a019     aid=30005       sid=0   os=6.1-32       fp=  ad=1   08/Sep/2013:05:19:48    v=6.0   id=cc05935c     aid=30530       sid=2   os=6.0-32       fp=11.8.800.94  ad=1
97.73.51.xx     08/Sep/2013:05:19:48    v=6.0   id=8e8ae22e     aid=30549       sid=2   os=5.1-32       fp=11.8.800.94  ad=1  08/Sep/2013:05:19:48    v=6.0   id=766544d6     aid=30530       sid=2   os=5.1-32       fp=11.7.700.169 ad=1
186.216.191.x   08/Sep/2013:05:19:50    v=6.0   id=9f13a702     aid=30500       sid=7   os=6.1-32       fp=11.8.800.94  ad=1
72.169.224.xx   08/Sep/2013:05:19:50    v=6.0   id=c12529dd     aid=30532       sid=1   os=6.0-32       fp=11.8.800.94  ad=1   08/Sep/2013:05:19:50    v=6.0   id=32fe545b     aid=30506       sid=0   os=6.0-32       fp=11.7.700.202 ad=1
69.70.6.xx      08/Sep/2013:05:19:50    v=6.0   id=da506625     aid=30549       sid=1   os=5.1-32       fp=11.8.800.94  ad=1   08/Sep/2013:05:19:50    v=6.0   id=515363f0     aid=30585       sid=0   os=6.1-64       fp=11.8.800.94  ad=1   08/Sep/2013:05:19:51    v=6.0   id=dfe1cade     aid=30500       sid=6   os=6.1-64       fp= ad=1  08/Sep/2013:05:19:51    v=6.0   id=0427de30     aid=30500       sid=8   os=6.1-32       fp=11.8.800.94  ad=1   08/Sep/2013:05:19:52    v=6.0   id=299311a2     aid=30500       sid=7   os=6.1-32       fp=11.8.800.94  ad=0 08/Sep/2013:05:19:53    v=6.0   id=0755e543     aid=30500       sid=6   os=6.1-64       fp=11.9.900.85  ad=1
50.57.190.xx    08/Sep/2013:05:19:53    v=6.0   id=234c7547     aid=30500       sid=7   os=6.1-64       fp=11.8.800.94  ad=1 08/Sep/2013:05:19:53    v=6.0   id=00000000     aid=10000       sid=0   os=6.1-64       fp=11.6.602.180 ad=1
67.142.183.xx   08/Sep/2013:05:19:53    v=6.0   id=20219f2e     aid=30585       sid=0   os=6.1-64       fp=11.8.800.94  ad=1
124.121.36.xx   08/Sep/2013:05:19:54    v=6.0   id=09281685     aid=30435       sid=0   os=5.1-32       fp=11.8.800.94  ad=1    08/Sep/2013:05:19:54    v=6.0   id=331a3ce0     aid=30538       sid=0   os=5.1-32       fp=  ad=0  08/Sep/2013:05:19:54    v=6.0   id=2ed99a09     aid=30500       sid=6   os=6.1-64       fp=11.8.800.94  ad=1
101.255.45.xx   08/Sep/2013:05:19:54    v=6.0   id=362bbbbd     aid=30329       sid=2   os=6.1-32       fp=11.8.800.94  ad=1   08/Sep/2013:05:19:55    v=6.0   id=2f2ad301     aid=30500       sid=5   os=6.1-64       fp=11.8.800.94  ad=1


  1. The DNS resolving is probably just in case the original server goes down.

  2. Interesting post. Thanks for such an informative post. Here i got one more site which contains a DNS tool. By using this tool we can find the domain owner, web ranking and daily visitors.
    whois domain