Home Business IT Security Zeusbot goes P2P to avoid blocking efforts

A variant of the Zeusbot/Spyeye malware has done away with the need for a command and control server, presenting a challenge for future takedown efforts.

Symantec has warned that a variant of the Zeusbot/Spyeye malware has done away with the need for a command and control (C&C) server, with that function now being performed by the botnet itself in a peer-to-peer (P2P) manner.

Previously, P2P was used to communicate between bots any change in the C&C server's URL. Other techniques have also been used, such as programmatically determining the URLs to be used on particular dates in the event that a bot loses contact completely.

Legally-approved takedowns of C&C servers, or merely blocking access to them, has proved successful in putting a crimp in the activities of the botherders. In also provided a lead in the identification of those responsible.

The move to greater use of P2P eliminates the possibility of takedowns (even if we were prepared to tolerate the takedown of any infected computer - at least until it had been disinfected - the widespread use of DHCP means there would be a risk of taking unaffected computers offline) and makes it harder to identify the miscreants. Symantec has not yet determined how data stolen by the new botnet reaches the attacker, but has not ruled out the possibility of a C&C server for that purpose.

Other changes noted by Symantec include a greater use of UDP instead of TCP to make it harder to track and dump data exchanges, and alterations to the compression and encryption used. In addition, the Zeus bot has been found distributing additional malware.

The company warns that "Zeus's main infection vector is emails containing malicious attachments, pretending to look like documents." So be cautious, and don't open attachments from unknown sources.


Are you looking to find the most efficient IT Monitoring tool available?

IT Monitoring is an essential part of the operations of any organisation with a significant network architecture.

Multiple IT monitoring platforms are available on the market today, supporting the various needs of small, medium-sized, and large enterprises, as well as managed service providers (MSPs).

This new report studies and compares eight different IT monitoring products in terms of functionality, operations, and usability on the same server platform with 100 end devices.

Which product is easiest to deploy, has the best maintenance mode capabilities, the best mobile access and custom reporting, dynamic thresholds setting, and enhanced discovery capabilities?

Download your free report to find out.


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences, a PhD in Industrial and Business Studies, and is a senior member of the Australian Computer Society.