![[ICO]](/icons/blank.gif){kind=icon}
![[PARENTDIR]](/icons/back.gif){kind=icon}
![[DIR]](/icons/folder.gif){kind=icon}
![[ ]](/icons/unknown.gif){kind=icon}
![[TXT]](/icons/text.gif){kind=icon}
![[ ]](/icons/script.gif){kind=icon}
![[ ]](/icons/compressed.gif){kind=icon}
![[IMG]](/icons/image2.gif){kind=icon}
start win8 already INFECTED... win 8 infected with 5b1e1e909a6efca6cabc0fad8a0458a6
It is generating flows in the rrd, so it is ok. I copied the previous pcap file of ~6GB.
Jin run out of space. I stopped it without desinfecting. The pcap is safe.
The command and control server is 81.88.48.95, port 80/tcp These Netflows are labeled "From-Botnet-TCP-HTTP-Zeus.CC.NonEncrypted-1" in the binetflow file.
In this capture, all the C&C connections are made to a server that is down. It is still an infected Zeus, but the C&C is not working. The connections are like this:
GET /Zz/config.bin HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: eyeofgod1.com
Cache-Control: no-cache
HTTP/1.1 403 Forbidden
Date: Tue 13 May 2014 14:19:10 GMT
Server: Apache
Last-Modified: Tue 24 May 2011 06:44:15 GMT
Accept-Ranges: bytes
Content-Length: 2431
Connection: close
Content-Type: text/html
Content-Language: fr
<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">..<head>...<meta http-equiv=",This change happened on 1970/01/01 07:03:13.638947 in pcap file, and on Tue 13 May 2014 14:19:10 GMT in real life time.
If you are going to analyze this Zeus behavior, consider that most of the C&C was taken down.
To see a working Zeus C&C see the capture called CTU-Malware-Capture-Botnet-78-1