Cracking into the new P2P variant of Zeusbot/Spyeye
(Publication) Google search: [1]
Cracking into the new P2P variant of Zeusbot/Spyeye | |
---|---|
Botnet | ZeuS, SpyEye |
Malware | Zbot |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | P2P |
Date | 2011 / 28 Nov 2011 |
Editor/Conference | Symantec |
Link | http://www.symantec.com/connect/blogs/cracking-new-P2P-variant-zeusbotspyeye (Archive copy) |
Author | Andrea Lelli |
Type |
Abstract
“ Recently, Symantec observed a modified variant of ZeuSbot/SpyEye which uses peer-to-peer (P2P) architecture to communicate. The original ZeuSbot communicated directly with its C&C server to download configuration data and upload stolen information. This was a major point of failure for the bot because the C&C server could be blocked or taken down, and the attacker would lose control of the botnet. The bot did have a fallback strategy: if the C&C server was down it generated pseudo-random domain names to contact. The attacker could of course predict those domain names and register one in order to gain back control of the bot, but the solution was not very efficient. (Terminology note: although we use the term “C&C” for the main server controlled by the attackers, this server is not a typical C&C in its functionalities, but is mainly a collector of information from the drones.)
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR899, editor = {Symantec}, author = {Andrea Lelli}, title = {Cracking into the new P2P variant of Zeusbot/Spyeye}, date = {28}, month = Nov, year = {2011}, howpublished = {\url{http://www.symantec.com/connect/blogs/cracking-new-P2P-variant-zeusbotspyeye}}, }