Symantec: New ZeuS botnet no longer needs central command servers

A new variant of the ZeuS computer Trojan no longer relies on 'command and control' servers for instructions from attackers

Cybercriminals are using a modified version of the ZeuS computer Trojan that no longer relies on command and control (C&C) servers for receiving instructions, according to Symantec security researchers.

ZeuS is very popular in the cybercriminal world because it's capable of stealing a wide variety of information, documents and login credentials from infected systems. For many years it was the weapon of choice for most fraudsters targeting online banking systems.

The Trojan's source code was published on Internet underground forums last year, paving the way for many third-party modifications and improvements.

In November 2011, security researchers identified a heavily modified ZeuS variant capable of relaying attacker commands from one compromised host to another, in a peer-to-peer-like (P2P) fashion.

That version of the Trojan still connected to a C&C server for dropping stolen data and receiving instructions, but used the P2P system as a fallback mechanism in case the server went down.

However, a new variant recently detected by antivirus vendor Symantec has completely removed the need for C&C servers. "Every peer in the botnet can act as a C&C server, while none of them really are one," Symantec researcher Andrea Lelli said in a blog post Wednesday.

"Bots are now capable of downloading commands, configuration files, and executables from other bots -- every compromised computer is capable of providing data to the other bots," she said.

In order to implement this functionality, the creators of this ZeuS variant have incorporated the nginx Web server into the Trojan, allowing every infected computer to receive and send data over the HTTP protocol.

This makes their botnet more resilient to takedowns, because there's no longer a single point of failure for security researchers to target, and it also prevents botnet tracking systems like ZeusTracker from doing their job.

"Zeustracker is a site which has had considerable success in tracking and publishing IP block lists for Zeus C&C servers around the world," Lelli said, adding that Zeus' switch to P2P for these functions means that the site would no longer be able to produce exact Zeus C&C IP block lists.

Organizations rely on such lists to block ZeuS traffic at the network level in order to prevent this malware from exfiltrating sensitive data. Monitoring connection attempts for the C&C IP addresses also helps companies identify compromised computers within their networks.

Symantec researchers have seen this new ZeuS variant distributing malware like fake antivirus programs. However, they have yet to figure out how it sends the captured information back to the attackers in the absence of C&C servers.

"Analysis is still ongoing, so we are working on uncovering this part of the mystery to figure out the full picture," Lelli said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?