Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Variant of Zeus Trojan Loses Reliance On C&C Server

Cybercriminals put significant effort into building their data stealing and spam pushing botnets, so when things come crashing down when authorities seize control of a botnet’s command and control server, you can imagine how frustrating it is for the fraudsters. Never mind the fact there is a good chance they’d be facing jail time as well. In the past year, we’ve seen several successful botnet takedowns, and authorities and security vendors are continuing the assault against these international cybercime empires.

Cybercriminals put significant effort into building their data stealing and spam pushing botnets, so when things come crashing down when authorities seize control of a botnet’s command and control server, you can imagine how frustrating it is for the fraudsters. Never mind the fact there is a good chance they’d be facing jail time as well. In the past year, we’ve seen several successful botnet takedowns, and authorities and security vendors are continuing the assault against these international cybercime empires.

Zeus P2PBut just like any industry, cybercriminals are competitive and innovative, and constantly looking for ways to make their criminal operations survive and evade those looking to shut them down.

This week, researchers from Symantec shared information on the recent discovery of a new variant of the Zeus Trojan. This new variant of the popular and ever-changing banking Trojan makes use of P2P communication exclusively, making the botnet have no single point of failure and ensuring it can be kept alive and gathering data that the cybercriminal can profit from. In other words, this new variant requires no central Command-and-Control server to control the bots.

“Every peer in the botnet can act as a C&C server, while none of them really are one,” explained Symantec researcher Andrea Lelli in a blog post.

Essentially every peer in the botnet can act as a C&C server, making the need for a central C&C server no longer needed as the P2P network can handle the sending and sending and receiving control messages.

Previously, every compromised computer was a peer in the botnet and the configuration file (containing the URL of the C&C server) was distributed from one peer to another, Symantec explains. By taking this approach, even if the C&C server is taken down, the botnet can still communicate with other peers and receive configuration files with URLs of new C&C servers.

“The lack of a command and control server is very much in the model of what we saw last year from TDL-4/Alureon that got it named the indestructible botnet”, Wade Williamson, Senior Security Analyst at Palo Alto Networks told SecurityWeek. “So its very interesting to see Zeus/SpyEye pick up and maybe even extend the use of P2P as a control model. The boundary between. Its truly distributed (and malicious) web application.”

“We don’t yet know how the stolen data is communicated back to the attackers, but it’s possible that such data is routed through the peers until it reaches a drop zone controlled by the attackers,” Lelli explained.

The variant also includes some other new features including a built in web server powered by nGinx, a popular light-weight open source Web server. “With this, every bot is capable of handling HTTP requests, meaning it can perform C&C functionalities, Lelli noted. The Waledac/Kelihos bots have been seen using the same tactic.

Advertisement. Scroll to continue reading.

Symantec also discovered that the communications protocol is increasingly using UDP, a stateless protocol that makes it more difficult to monitor and capture data being exchanged through the botnet. “TCP communications are easy to track and dump, and the bot does not perform any authentication on the packets exchanged, so anyone can impersonate a bot and successfully communicate with other bots, downloading stuff like configuration data.”

“The move from TCP to UDP is also interesting because we have seen that same shift used by extremely evasive tunneling applications like UltraSurf,” Williamson added. “Zeus may be learning a few tricks from these circumventor applications that specialize in tunneling through security.”

Still Not 100% C&C Free

While the cybercriminals have removed the dependency the bots had on the C&C server, Symantec said this doesn’t mean C&C’s are completely out of the picture. “The bot may still decide to contact a C&C server under specific conditions (e.g. when there is stolen data to communicate back to the attackers),” Lelli noted. “If they managed to completely remove C&C servers then this can be considered a step towards strengthening the botnet. If it only operates through P2P, it becomes nearly impossible to track the guys behind it. Again, analysis is still ongoing, so we are working on uncovering this part of the mystery to figure out the full picture.”

In terms of propagation, Symantec warned that Zeus’ main infection vector is via emails containing malicious attachments.

A more detailed analysis from Symantec is available here.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.