In what seems to be the next evolution of malware, the Zeusbot/SpyEye Trojan network has been discovered in the wild that doesn’t rely on a centralized command-and-control server—instead, the new variants use a peer-to-peer architecture to get the job done.
According an article in The Register, security researchers at Symantec have dissected the new code and discovered that the virus makers have sought to jettison the weakness of requiring a home-base for something that BitTorrent users have known for a long time: being decentralized makes it harder to shut you down.
Now cybercrooks have built functionality into Zeusbot/SpyEye that allows instructions to be distributed via P2P techniques as well, eliminating the need for C&C servers. Compromised systems are now capable of downloading commands, configuration files, and executables from other bots, a write-up by security researchers at Symantec explains.
“Previously, every compromised computer was a peer in the botnet and the configuration file (containing the URL of the C&C server) was distributed from one peer to another,” Symantec researcher Andrea Lelli explains. “This way, even if the C&C server was taken down, the botnet was still able to contact other peers to receive configuration files with URLs of new C&C servers.”
The Symantec write-up on the new Zeusbot is available for perusal at their website.
Researchers also discovered that instead of forming long-lastingTCPdirect connections, the malware is working harder on flying under the radar by sending out packets that it doesn’t expect replies to with UDP. This makes the malware just a little bit harder to track and allows it to piggyback signals that pretend to be part of regular operations (such as DNS and other quick-burst communication.)
The peer-to-peer aspect appears to be exchanged via HTTP using an open source minimal Web server called nGinx. This allows the bots to discover and contact each other as if they were Web servers. Once again, meaning that the communication between the bots could be disguised better as usual computer use (since most users use the Web a great deal.)
Also, the nGinx server permits each bot in the entire net to handle and respond to HTTP requests and as a result any given bot in botnet can handle command-and-control messages. Web servers in botnets aren’t very new; in fact, the Waledac/Kelihos botnet uses Web servers to communicate—the same botnet obliterated by a Microsoft operation in late 2011.
Little information was released by the write-up about how the command-and-control has been decentralized. It would make sense that the virus maker would key the botnet to their commands in some fashion and would designate a single bot for a short time as command-and-control in order to tell the botnet what to do and could turn that functionality on and off via contact.
ZeuS and such are often used as Trojans to spy on users as they use their computers and collect sensitive information such as passwords, banking information, etc. and now that information can be carefully doled out through the botnet between different bots. This both makes it harder to kill the entire botnet—whereas before only one C&C server needed to go down—and it makes it harder to find the criminals using the net because they could connect to any given bot in the network and have them siphon their ill-gotten goods to any particular node for exfiltration.
As a botnet source that used to sell time for thousands of dollars a whack, ZeuS probably just made itself even more valuable.
Although, as previously noted, the code for this net has been leaked publicly, which means anyone with the know-how can tinker with it and set a new one up.