Symantec: New ZeuS botnet no longer needs central command servers

A new variant of the ZeuS computer Trojan no longer relies on 'command and control' servers for instructions from attackers

Cybercriminals are using a modified version of the ZeuS computer Trojan that no longer relies on command and control (C&C) servers for receiving instructions, according to Symantec security researchers.

ZeuS is very popular in the cybercriminal world because it's capable of stealing a wide variety of information, documents and login credentials from infected systems. For many years it was the weapon of choice for most fraudsters targeting online banking systems.

The Trojan's source code was published on Internet underground forums last year, paving the way for many third-party modifications and improvements.

In November 2011, security researchers identified a heavily modified ZeuS variant capable of relaying attacker commands from one compromised host to another, in a peer-to-peer-like (P2P) fashion.

That version of the Trojan still connected to a C&C server for dropping stolen data and receiving instructions, but used the P2P system as a fallback mechanism in case the server went down.

However, a new variant recently detected by antivirus vendor Symantec has completely removed the need for C&C servers. "Every peer in the botnet can act as a C&C server, while none of them really are one," Symantec researcher Andrea Lelli said in a blog post Wednesday.

"Bots are now capable of downloading commands, configuration files, and executables from other bots -- every compromised computer is capable of providing data to the other bots," she said.

In order to implement this functionality, the creators of this ZeuS variant have incorporated the nginx Web server into the Trojan, allowing every infected computer to receive and send data over the HTTP protocol.

This makes their botnet more resilient to takedowns, because there's no longer a single point of failure for security researchers to target, and it also prevents botnet tracking systems like ZeusTracker from doing their job.

"Zeustracker is a site which has had considerable success in tracking and publishing IP block lists for Zeus C&C servers around the world," Lelli said, adding that Zeus' switch to P2P for these functions means that the site would no longer be able to produce exact Zeus C&C IP block lists.

Organizations rely on such lists to block ZeuS traffic at the network level in order to prevent this malware from exfiltrating sensitive data. Monitoring connection attempts for the C&C IP addresses also helps companies identify compromised computers within their networks.

Symantec researchers have seen this new ZeuS variant distributing malware like fake antivirus programs. However, they have yet to figure out how it sends the captured information back to the attackers in the absence of C&C servers.

"Analysis is still ongoing, so we are working on uncovering this part of the mystery to figure out the full picture," Lelli said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?