Cybercriminals are using a modified version of the Zeusbot/Spyeye, which is using a peer-to-peer (P2P) network architecture, rather than a simple bot to command-and-control (C&C) server system, making the botnet much harder to take down, Symantec warned. ZeuS is very popular in the cybercriminal world because it’s capable of stealing a wide variety of information, documents and login credentials from infected systems.
For many years it was the weapon of choice for most fraudsters targeting online banking systems.The Trojan’s source code was published on Internet underground forums last year, paving the way for many third-party modifications and improvements.
Previously, P2P was used to communicate between bots any change in the C&C server’s URL. Other techniques have also been used, such as programmatically determining the URLs to be used on particular dates in the event that a bot loses contact completely.However, a new variant recently detected by antivirus vendor Symantec has completely removed the need for C&C servers. “Every peer in the botnet can act as a C&C server, while none of them really are one,” Symantec researcher Andrea Lelli said in a blog postWednesday.
Other changes noted by Symantec include a greater use of UDP instead of TCP to make it harder to track and dump data exchanges, and alterations to the compression and encryption used. In addition, the Zeus bot has been found distributing additional malware.
“Bots are now capable of downloading commands, configuration files, and executables from other bots — every compromised computer is capable of providing data to the other bots,” she said.
“Zeustracker is a site which has had considerable success in tracking and publishing IP block lists for Zeus C&C servers around the world,” Lelli said, adding that Zeus’ switch to P2P for these functions means that the site would no longer be able to produce exact Zeus C&C IP block lists.
Law enforcement has been able to take down botnets in the past by shutting down the C&C servers. However, with a P2P network architecture, a botnet can avoid this single point of vulnerability.