Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Variant of Zeus Trojan Loses Reliance On C&C Server

Cybercriminals put significant effort into building their data stealing and spam pushing botnets, so when things come crashing down when authorities seize control of a botnet’s command and control server, you can imagine how frustrating it is for the fraudsters. Never mind the fact there is a good chance they’d be facing jail time as well. In the past year, we’ve seen several successful botnet takedowns, and authorities and security vendors are continuing the assault against these international cybercime empires.

Cybercriminals put significant effort into building their data stealing and spam pushing botnets, so when things come crashing down when authorities seize control of a botnet’s command and control server, you can imagine how frustrating it is for the fraudsters. Never mind the fact there is a good chance they’d be facing jail time as well. In the past year, we’ve seen several successful botnet takedowns, and authorities and security vendors are continuing the assault against these international cybercime empires.

Zeus P2PBut just like any industry, cybercriminals are competitive and innovative, and constantly looking for ways to make their criminal operations survive and evade those looking to shut them down.

This week, researchers from Symantec shared information on the recent discovery of a new variant of the Zeus Trojan. This new variant of the popular and ever-changing banking Trojan makes use of P2P communication exclusively, making the botnet have no single point of failure and ensuring it can be kept alive and gathering data that the cybercriminal can profit from. In other words, this new variant requires no central Command-and-Control server to control the bots.

“Every peer in the botnet can act as a C&C server, while none of them really are one,” explained Symantec researcher Andrea Lelli in a blog post.

Essentially every peer in the botnet can act as a C&C server, making the need for a central C&C server no longer needed as the P2P network can handle the sending and sending and receiving control messages.

Previously, every compromised computer was a peer in the botnet and the configuration file (containing the URL of the C&C server) was distributed from one peer to another, Symantec explains. By taking this approach, even if the C&C server is taken down, the botnet can still communicate with other peers and receive configuration files with URLs of new C&C servers.

“The lack of a command and control server is very much in the model of what we saw last year from TDL-4/Alureon that got it named the indestructible botnet”, Wade Williamson, Senior Security Analyst at Palo Alto Networks told SecurityWeek. “So its very interesting to see Zeus/SpyEye pick up and maybe even extend the use of P2P as a control model. The boundary between. Its truly distributed (and malicious) web application.”

“We don’t yet know how the stolen data is communicated back to the attackers, but it’s possible that such data is routed through the peers until it reaches a drop zone controlled by the attackers,” Lelli explained.

The variant also includes some other new features including a built in web server powered by nGinx, a popular light-weight open source Web server. “With this, every bot is capable of handling HTTP requests, meaning it can perform C&C functionalities, Lelli noted. The Waledac/Kelihos bots have been seen using the same tactic.

Symantec also discovered that the communications protocol is increasingly using UDP, a stateless protocol that makes it more difficult to monitor and capture data being exchanged through the botnet. “TCP communications are easy to track and dump, and the bot does not perform any authentication on the packets exchanged, so anyone can impersonate a bot and successfully communicate with other bots, downloading stuff like configuration data.”

“The move from TCP to UDP is also interesting because we have seen that same shift used by extremely evasive tunneling applications like UltraSurf,” Williamson added. “Zeus may be learning a few tricks from these circumventor applications that specialize in tunneling through security.”

Still Not 100% C&C Free

While the cybercriminals have removed the dependency the bots had on the C&C server, Symantec said this doesn’t mean C&C’s are completely out of the picture. “The bot may still decide to contact a C&C server under specific conditions (e.g. when there is stolen data to communicate back to the attackers),” Lelli noted. “If they managed to completely remove C&C servers then this can be considered a step towards strengthening the botnet. If it only operates through P2P, it becomes nearly impossible to track the guys behind it. Again, analysis is still ongoing, so we are working on uncovering this part of the mystery to figure out the full picture.”

In terms of propagation, Symantec warned that Zeus’ main infection vector is via emails containing malicious attachments.

A more detailed analysis from Symantec is available here.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Cybercrime

Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.