Zeusbot goes P2P to avoid blocking efforts

Stephen Withers
Thursday, 23 February 2012 09:41

Business IT - Security

A variant of the Zeusbot/Spyeye malware has done away with the need for a command and control server, presenting a challenge for future takedown efforts.

Symantec has warned that a variant of the Zeusbot/Spyeye malware has done away with the need for a command and control (C&C) server, with that function now being performed by the botnet itself in a peer-to-peer (P2P) manner.

Previously, P2P was used to communicate between bots any change in the C&C server's URL. Other techniques have also been used, such as programmatically determining the URLs to be used on particular dates in the event that a bot loses contact completely.

Legally-approved takedowns of C&C servers, or merely blocking access to them, has proved successful in putting a crimp in the activities of the botherders. In also provided a lead in the identification of those responsible.

The move to greater use of P2P eliminates the possibility of takedowns (even if we were prepared to tolerate the takedown of any infected computer - at least until it had been disinfected - the widespread use of DHCP means there would be a risk of taking unaffected computers offline) and makes it harder to identify the miscreants. Symantec has not yet determined how data stolen by the new botnet reaches the attacker, but has not ruled out the possibility of a C&C server for that purpose.

Other changes noted by Symantec include a greater use of UDP instead of TCP to make it harder to track and dump data exchanges, and alterations to the compression and encryption used. In addition, the Zeus bot has been found distributing additional malware.

The company warns that "Zeus's main infection vector is emails containing malicious attachments, pretending to look like documents." So be cautious, and don't open attachments from unknown sources.