GameOver / Zeus takeover interesting points.

I recently read a blog post by security company FireEye which detailed some of the actions taken against the GameOver / Zeus botnet, commonly known to deploy the CryptoLocker malware that ransoms documents, photos etc.

It aimed readers to a court order about the takeover operation.

It is interesting that they obtained an order to redirect the command and control servers to their own.

The domain used was kratosdns.net. I’m interested in the domain registration whois history but right now it shows as being owned by the FBI, registered at GoDaddy with the nameservers pointed to GoDaddy. The www. hostname points to a GoDaddy IP but doesn’t have a website on it.

Domain Name: KRATOSDNS.NET
Registry Domain ID: 1859779100_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2014-05-22 11:40:23
Creation Date: 2014-05-22 11:40:23
Registrar Registration Expiration Date: 2016-05-22 11:40:23
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientRenewProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: FBI Cyber Division
Registrant Organization: Federal Bureau of Investigation
Registrant Street: 935 Pennsylvania Avenue, NW
Registrant City: Washington
Registrant State/Province: District of Columbia
Registrant Postal Code: 20535
Registrant Country: United States
Registrant Phone: +1.2023243000
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: cyd-dns@ic.fbi.gov
Registry Admin ID:

The nameservers specified in the order are the following.

ns1.kratosdns.net on the IP address 136.161.101.66
NetRange    136.161.0.0 – 136.161.255.255
CIDR    136.161.0.0/16
Name    PSINET1
Organization    PSI Network One (PNO-2)

The above is pretty nondescript. The second name server specified was

ns2.kratosdns.net on the IP address 204.152.188.2
NetRange    204.152.184.0 – 204.152.191.255
CIDR    204.152.184.0/21
Name    ISC-NET2
Handle    NET-204-152-184-0-1
Organization    Internet Systems Consortium, Inc. (ISC-94-Z)

This one is more interesting. ISC are the creators of BIND, DNS server software.

Further digging shows that potential DGA (Domain Generation Algorythm) .com and .net domains are being registered using Verisign with no owner details and are pointed at the kratodns hosts.

Domain Name: ADAQSMVGQSOGALNHDUKNUCXV.COM
Registrar: VERISIGN SECURITY AND STABILITY
Name Server: NS1.KRATOSDNS.NET
Name Server: NS2.KRATOSDNS.NET
Updated Date: 30-may-2014
Creation Date: 30-may-2014
Expiration Date: 30-may-2015

.biz domains are registered under “Neustar Special Projects”

Domain Name: ADRGGQWSBAPVIEYKRNVCRGYX.BIZ
Domain ID: D60549256-BIZ
Sponsoring Registrar: NEUSTAR SPECIAL PROJECTS
Sponsoring Registrar IANA ID: 1410065395
Registrar URL (registration services): http://www.acrdomainss.com
Domain Status: serverDeleteProhibited
Domain Status: serverTransferProhibited
Domain Status: serverUpdateProhibited
Variant: ADRGGQWSBAPVIEYKRNVCRGYX.BIZ
Registrant ID: CCRCDOMAINS
Registrant Name: Neustar Special Projects
Registrant Address1: 4583 Mountain Forest Street
Registrant City: Colorado Springs
Registrant State/Province: CO
Registrant Postal Code: 80916
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.7201111111
Registrant Email: domainmainco@gmail.com

.org domains are registered under “PIR Special Projects”Domain Name:ZTWGJVLJBEKVPRVKGAEIWONPWCH.ORG
Domain ID: D172747075-LROR
Creation Date: 2014-05-30T16:32:36Z
Updated Date: 2014-05-30T18:53:25Z
Registry Expiry Date: 2015-05-30T16:32:36Z
Sponsoring Registrar:PIR Special Projects (R1776-LROR)
Sponsoring Registrar IANA ID: 700074
WHOIS Server:
Referral URL:
Domain Status: serverTransferProhibited
Domain Status: serverUpdateProhibited
Registrant ID:PIR-Legal
Registrant Name:PIR Special Projects
Registrant Organization:
Registrant Street: 1775 Wiehle Avenue, Suite 100
Registrant City:Reston
Registrant State/Province:VA
Registrant Postal Code:20190
Registrant Country:US
Registrant Phone:+1.4166463308
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:support@pir.org

.info domains are registered under “Afilias Special Projects”

Domain Name:RXSMJLNREUTINPNCQLDCYWC.INFO
Domain ID: D52893286-LRMS
Creation Date: 2014-05-30T16:15:41Z
Updated Date: 2014-05-30T18:17:49Z
Registry Expiry Date: 2015-05-30T16:15:41Z
Sponsoring Registrar:Afilias Special Projects (R556-LRMS)
Sponsoring Registrar IANA ID: 9999
WHOIS Server:
Referral URL:
Domain Status: serverTransferProhibited
Domain Status: serverUpdateProhibited
Registrant ID:Afilias-Legal
Registrant Name:Afilias Special Projects
Registrant Organization:
Registrant Street: Building 3, Suite 105
Registrant City:Horsham
Registrant State/Province:PA
Registrant Postal Code:19044
Registrant Country:US
Registrant Phone:+1.4166463306
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:support@afilias.info

I am pleased and impressed to see such a comprehensive law enforcement takeover setup. You can read about my encounter with CryptoLocker here..

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s