A new version of the Zeus malware has appeared, and this does not seem to be a minor upgrade, but a major custom version of the Trojan, which now sports a P2P capability that does away with the use of the domain-generation algorithm used in earlier versions and instead uses a hardcoded list of IP addresses to provide infected PCs with new software and config files. This is a throwback to the way the malware used to behave, but it comes with a twist: There no longer is a master URL that infected machines contact to get updates, making it much more difficult to track the Trojan’s activities.
Zeus has been a major focus for malware researchers for a couple of years now and the crew behind its creation has been adjusting its tactics from time to time as researchers have gotten better at tracking the bot’s activities and tendencies. In addition to the attention paid by antimalware companies, some major community efforts to track the bot have appeared, and the folks behind one of them, Zeus Tracker, have discovered the new custom version of Zeus that now includes the peer-to-peer functionality.
Many botnets have added similar capabilities in the last few years as researchers have become quite adept at finding and removing the command-and-control servers used to operate the networks of infected machines. The general idea behind the addition of a P2P feature is that if the botmaster can use other infected PCs to distribute updated software and commands to his legions of zombie machines, rather than a central C&C server, then it will be more difficult for researchers to disrupt the botnet. Traditional botnet takedown operations have typically centered on sinkholing one or more of the C&C servers responsible for sending out commands and updated files. But the absence of that centralized authority makes this process more problematic.
The version of Zeus discovered recently by the Swiss Abuse.ch group implements this strategy through the inclusion of a built-in list of IP addresses that each newly infected PC should try to contact in order to receive instructions and updated configuration files. The new bot does this by sending out UDP packets on a high-numbered port, looking for like-mided peers. If one responds, the new bot will get a new list of IPs of other infected PCs in the botnet. The version of Zeus also can remotely check which version of the malware is running on remote PCs and download an updated version, if necessary, the researchers said in a blog post analyzing the Zeus update.
There is still one C&C domain being used to control this particular Zeus botner, Abuse.ch said, but it’s not a static domain. The location of the controller changes over time.
“The HTTP protocol is only being used to drop the stolen data to the Dropzone and/or to receive commands from the botnet master. In fact this means there is no longer a BinaryURL or a ConfigURL that ZeuS Tracker can track. It also makes it quite difficult for security researchers to keep track of the targets. What is interesting is the fact that if everything fails (=no working/active P2P drone can be found and the main C&C is dead) the bot will use the DGA as fallback mechanism,” Abuse.ch wrote in the analysis.
“At first glance these are bad news. But fortunately the new mechanism also has benefits: There is just one ZeuS C&C active at the same time, so every time the domain name gets suspended/terminated, the criminals have to push out a new config file.”
From data gathered by Abuse.ch, it looks like this particular version of Zeus began a spike in activity in late September. There were some pretty large fulctuations in the number of infected IP addresses over the next couple of weeks, and Abuse.ch was able to sinkhole some of the C&C domains that the version was using. Many of the infected machines are in India, Italy and the U.S., and Abuse.ch said that the highest infected IP count was around 100,000 at one point.
The recently dismantled Kelihos botnet also had a P2P architecture, but its structure was somewhat more complex, with several tiers of machines performing discrete tasks and picking up for one another if there was a disruption in the network.