Cybercriminals put significant effort into building their data stealing and spam pushing botnets, so when things come crashing down when authorities seize control of a botnet’s command and control server, you can imagine how frustrating it is for the fraudsters. Never mind the fact there is a good chance they’d be facing jail time as well. In the past year, we’ve seen several successful botnet takedowns, and authorities and security vendors are continuing the assault against these international cybercime empires.
But just like any industry, cybercriminals are competitive and innovative, and constantly looking for ways to make their criminal operations survive and evade those looking to shut them down.
This week, researchers from Symantec shared information on the recent discovery of a new variant of the Zeus Trojan. This new variant of the popular and ever-changing banking Trojan makes use of P2P communication exclusively, making the botnet have no single point of failure and ensuring it can be kept alive and gathering data that the cybercriminal can profit from. In other words, this new variant requires no central Command-and-Control server to control the bots.
“Every peer in the botnet can act as a C&C server, while none of them really are one,” explained Symantec researcher Andrea Lelli in a blog post.
Essentially every peer in the botnet can act as a C&C server, making the need for a central C&C server no longer needed as the P2P network can handle the sending and sending and receiving control messages.
Previously, every compromised computer was a peer in the botnet and the configuration file (containing the URL of the C&C server) was distributed from one peer to another, Symantec explains. By taking this approach, even if the C&C server is taken down, the botnet can still communicate with other peers and receive configuration files with URLs of new C&C servers.
“The lack of a command and control server is very much in the model of what we saw last year from TDL-4/Alureon that got it named the indestructible botnet”, Wade Williamson, Senior Security Analyst at Palo Alto Networks told SecurityWeek. “So its very interesting to see Zeus/SpyEye pick up and maybe even extend the use of P2P as a control model. The boundary between. Its truly distributed (and malicious) web application.”
“We don’t yet know how the stolen data is communicated back to the attackers, but it’s possible that such data is routed through the peers until it reaches a drop zone controlled by the attackers,” Lelli explained.
The variant also includes some other new features including a built in web server powered by nGinx, a popular light-weight open source Web server. “With this, every bot is capable of handling HTTP requests, meaning it can perform C&C functionalities, Lelli noted. The Waledac/Kelihos bots have been seen using the same tactic.
Symantec also discovered that the communications protocol is increasingly using UDP, a stateless protocol that makes it more difficult to monitor and capture data being exchanged through the botnet. “TCP communications are easy to track and dump, and the bot does not perform any authentication on the packets exchanged, so anyone can impersonate a bot and successfully communicate with other bots, downloading stuff like configuration data.”
“The move from TCP to UDP is also interesting because we have seen that same shift used by extremely evasive tunneling applications like UltraSurf,” Williamson added. “Zeus may be learning a few tricks from these circumventor applications that specialize in tunneling through security.”
Still Not 100% C&C Free
While the cybercriminals have removed the dependency the bots had on the C&C server, Symantec said this doesn’t mean C&C’s are completely out of the picture. “The bot may still decide to contact a C&C server under specific conditions (e.g. when there is stolen data to communicate back to the attackers),” Lelli noted. “If they managed to completely remove C&C servers then this can be considered a step towards strengthening the botnet. If it only operates through P2P, it becomes nearly impossible to track the guys behind it. Again, analysis is still ongoing, so we are working on uncovering this part of the mystery to figure out the full picture.”
In terms of propagation, Symantec warned that Zeus’ main infection vector is via emails containing malicious attachments.
A more detailed analysis from Symantec is available here.