Symantec: New ZeuS botnet no longer needs central command servers

A new variant of the ZeuS computer Trojan no longer relies on 'command and control' servers for instructions from attackers

Cybercriminals are using a modified version of the ZeuS computer Trojan that no longer relies on command and control (C&C) servers for receiving instructions, according to Symantec security researchers.

ZeuS is very popular in the cybercriminal world because it's capable of stealing a wide variety of information, documents and login credentials from infected systems. For many years it was the weapon of choice for most fraudsters targeting online banking systems.

The Trojan's source code was published on Internet underground forums last year, paving the way for many third-party modifications and improvements.

In November 2011, security researchers identified a heavily modified ZeuS variant capable of relaying attacker commands from one compromised host to another, in a peer-to-peer-like (P2P) fashion.

That version of the Trojan still connected to a C&C server for dropping stolen data and receiving instructions, but used the P2P system as a fallback mechanism in case the server went down.

However, a new variant recently detected by antivirus vendor Symantec has completely removed the need for C&C servers. "Every peer in the botnet can act as a C&C server, while none of them really are one," Symantec researcher Andrea Lelli said in a blog post Wednesday.

"Bots are now capable of downloading commands, configuration files, and executables from other bots -- every compromised computer is capable of providing data to the other bots," she said.

In order to implement this functionality, the creators of this ZeuS variant have incorporated the nginx Web server into the Trojan, allowing every infected computer to receive and send data over the HTTP protocol.

This makes their botnet more resilient to takedowns, because there's no longer a single point of failure for security researchers to target, and it also prevents botnet tracking systems like ZeusTracker from doing their job.

"Zeustracker is a site which has had considerable success in tracking and publishing IP block lists for Zeus C&C servers around the world," Lelli said, adding that Zeus' switch to P2P for these functions means that the site would no longer be able to produce exact Zeus C&C IP block lists.

Organizations rely on such lists to block ZeuS traffic at the network level in order to prevent this malware from exfiltrating sensitive data. Monitoring connection attempts for the C&C IP addresses also helps companies identify compromised computers within their networks.

Symantec researchers have seen this new ZeuS variant distributing malware like fake antivirus programs. However, they have yet to figure out how it sends the captured information back to the attackers in the absence of C&C servers.

"Analysis is still ongoing, so we are working on uncovering this part of the mystery to figure out the full picture," Lelli said.

Join the PC World newsletter!

Error: Please check your email address.

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?