Cracking into the new P2P variant of Zeusbot/Spyeye

From Botnets.fr
Jump to navigation Jump to search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

Cracking into the new P2P variant of Zeusbot/Spyeye
Botnet ZeuS, SpyEye
Malware Zbot
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol P2P
Date 2011 / 28 Nov 2011
Editor/Conference Symantec
Link http://www.symantec.com/connect/blogs/cracking-new-P2P-variant-zeusbotspyeye (Archive copy)
Author Andrea Lelli
Type

Abstract

Recently, Symantec observed a modified variant of ZeuSbot/SpyEye which uses peer-to-peer (P2P) architecture to communicate. The original ZeuSbot communicated directly with its C&C server to download configuration data and upload stolen information. This was a major point of failure for the bot because the C&C server could be blocked or taken down, and the attacker would lose control of the botnet. The bot did have a fallback strategy: if the C&C server was down it generated pseudo-random domain names to contact. The attacker could of course predict those domain names and register one in order to gain back control of the bot, but the solution was not very efficient. (Terminology note: although we use the term “C&C” for the main server controlled by the attackers, this server is not a typical C&C in its functionalities, but is mainly a collector of information from the drones.)

Bibtex

 @misc{Lelli2011BFR899,
   editor = {Symantec},
   author = {Andrea Lelli},
   title = {Cracking into the new P2P variant of Zeusbot/Spyeye},
   date = {28},
   month = Nov,
   year = {2011},
   howpublished = {\url{http://www.symantec.com/connect/blogs/cracking-new-P2P-variant-zeusbotspyeye}},
 }