Cracking into the new P2P variant of Zeusbot/Spyeye

Jump to navigation Jump to search

(Publication) Google search: [1]

Cracking into the new P2P variant of Zeusbot/Spyeye
Botnet ZeuS, SpyEye
Malware Zbot
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
CCProtocol P2P
Date 2011 / 28 Nov 2011
Editor/Conference Symantec
Link (Archive copy)
Author Andrea Lelli


Recently, Symantec observed a modified variant of ZeuSbot/SpyEye which uses peer-to-peer (P2P) architecture to communicate. The original ZeuSbot communicated directly with its C&C server to download configuration data and upload stolen information. This was a major point of failure for the bot because the C&C server could be blocked or taken down, and the attacker would lose control of the botnet. The bot did have a fallback strategy: if the C&C server was down it generated pseudo-random domain names to contact. The attacker could of course predict those domain names and register one in order to gain back control of the bot, but the solution was not very efficient. (Terminology note: although we use the term “C&C” for the main server controlled by the attackers, this server is not a typical C&C in its functionalities, but is mainly a collector of information from the drones.)


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR899,
   editor = {Symantec},
   author = {Andrea Lelli},
   title = {Cracking into the new P2P variant of Zeusbot/Spyeye},
   date = {28},
   month = Nov,
   year = {2011},
   howpublished = {\url{}},