Creating a ZeuS Crimeware Scanhub

As a way to test Scanhub and share how I use it, I will go through the process of setting up a new Scanhub to monitor the ZeuS Botnet Command & Control servers. I’ll show how to create a Scanhub, the Nmap command that will be used to scan the devices and at the end you’ll see how it looks like as an end-user!

Creating a Scanhub

To create a Scanhub you need to have a Shodan account (https://account.shodan.io) and a Scanhub subscription (https://scanhub.shodan.io/pricing). Once you’ve got those things setup, simply click on the big red “Create Scanhub” button  DashboardAnd fill out the short form to create a Scanhub. Note that Scanhub names have to be unique! This means that there can’t be 2 Scanhubs of the same name to avoid confusion. This is how the form should look like after you click on the “Create new Scanhub” button:

Create new ScanHub

Collecting Data

Awesome, we’ve got a Scanhub up and running so we just need to feed it some data to start crunching. We could upload an XML file manually, but that doesn’t scale well and I want to automatically check the ZeuS trackers at least once a day. Fortunately, that’s very easy to do using bash, cron, cURL, Nmap and your Shodan API key (which is free). First things first: where to get the ZeuS C&C information from? There’s an awesome website that’s dedicated to tracking the ZeuS crimeware: https://zeustracker.abuse.ch/index.php

From there we can download an IP blocklist using cURL, which can then be fed into nmap. To download the file from your Linux shell, simply enter:

curl -o blocklist.txt "https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist"

Now that we know which servers to scan, what does the Nmap command look like for this Scanhub? I want to gather as much information as possible including traceroutes, NSE scripts, operating system detection (“-A”) and all open ports (“-open”). To make sure I don’t miss servers that block Ping requests (ICMP), I will also choose to tell Nmap to ignore checking whether thehost is up or not and just assume that it is (“-P0”). The final command that I’ll be using is:

nmap -iL blocklist.txt --max-retries 1 --max-scan-delay 2 -oX zeus.xml -A -T5 -p- -sS --open -P0

Note that the results of the Nmap scan are saved as XML (“-oX”) and inside a file called “zeus.xml”.

Uploading to Scanhub

The final step is making the data searchable by uploading it to the Scanhub that was created earlier. To do this with your Linux terminal, you need to have a free Shodan API key. The data upload page for each Scanhub also includes basic instructions on how to do this using the API key, and it automatically includes your own key in the example. If you’re not sure what your API key is, simply visit your Shodan account page at https://account.shodan.io and you will see it at the top of the user information. Assuming that your key is called “MY_SHODAN_API_KEY” and your Scanhub is called “zeus-tracker” (note: that name was already taken for this example, so yours will be called differently) then you would enter the following command into your shell:

curl -F nmap_xml=@zeus.xml "https://scanhub.shodan.io/repository/upload/zeus-tracker?key=MY_SHODAN_API_KEY"

And that’s it! Within a few seconds the results will show up on Scanhub and all the information that Nmap gathered (traceroutes, script output, operating systems, geolocation) will be searchable.

I’ll make another post about the results and how to scale this into analyzing a lot of malware-hosting servers, but for now I hope this has provided some insight into how my usual workflow is when using Scanhub. And if there’s something you would like to have me discuss or cover on the blog please let me know in the comments!

ZeuS Tracker

Advertisements

4 comments

  1. rayda

    what filters does scanhub support (e.g. country:’xx’) outside of having my personal scans visualised, how is this different from the main shodan engine? (which is awwsome, id like to add!!)

    is there a optimum way to conduct the scan? assuming I do a basic syn scan, what would be visualised? alternatively if i scan for non standard ports, (random high ports) will those get visualised with banner information?

    • achillean

      The filters were modeled after Shodan, so the same ones that work on Shodan should mostly also work on Scanhub.

      Scanhub is my answer for people that want to have a “mini-Shodan” for their own data. The data that is uploaded to Scanhub is stored completely separate from Shodan, and there is zero overlap in terms of data sharing. Shodan is a search engine where I collect and curate all the data, Scanhub is your own search engine where you collect the data and determine what goes in it.

      And Scanhub makes the most sense if you’re running nmap with at least some scripts enabled. If you’re just doing a SYN scan without anything else, then you will get the geolocation-based filters and of course the port breakdown, but it won’t be the same kind of search engine as Shodan.

      It doesn’t matter what ports you scan though as long as nmap is able to produce some output. Everything that nmap outputs gets indexed and is made searchable on Scanhub.

      Here you can see a host where an NSE script was run to test possibly dangerous HTTP methods as well as a traceroute:

      https://scanhub.shodan.io/scanhub-demo/host/194.44.216.98

      • rayda

        thanks a ton, that does help… so just to confirm if i am doing this for internal IP(s) the banner / ports and OR output of the scripts i run, would be what i should expect to see?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s