Wednesday, February 20, 2013

Zeroaccess supernodes mapped - part I

Zeroaccess supernodes part I


NB! there are approximately 40.000 nodes so the mapping will be slow

Or it should have been, but my google_maps_api_javascript fu failed me and you just get a small taste plotted on the nice google maps.
However here is the full list at pastebin part_I and part_II

This is an overview of ZeroAccess supernodes tracked in the last three weeks.
These nodes have been online during this period and confirmed infected.

These are nodes that are the backbone of the ZeroAccess network who other bots contact to keep updated. These nodes also communicate with each other mainly on UDP port 16464. They are called supernodes due to the fact that other nodes can communicate with them.

For more info on ZeroAccess check this post

Please note that IP addresses do change over time so some of these might not be alive at the time of publishing.

A good source for ZeroAccess statistics over at malware-lu

5 comments:

  1. How can we get a complete list of Zeroaccess supernodes?

    ReplyDelete
  2. Hi,

    if you look at the post zeroacces network analysis you will see that it is possible to send udp packets to hosts and they will answer back. If you find one infected host(or you infect yourself) you will be able to decode the list of P2P host that you receive in the answer(retL command) from the infected hosts. IT is then just a matter of starting to send more packets around and you will be able to map the ZeroAccess network. Of course new hosts will come in the botnet and some hosts will leave, so at any point we sill not have an exact list. Hope that helps :)

    ReplyDelete
  3. The pastebin links are not existing. Could you please update the list again

    ReplyDelete
  4. Hi,

    Yes the pastes expired after 30 days. I figured that the IP info would be obsolete pretty quickly. Did not want to offend anyone either. At the moment I do not track ZA so I have no updated list. check over at malware.lu if they have updated info.

    ReplyDelete