ZeuSbot/Spyeye P2P updated, fortifying the botnet

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

ZeuSbot/Spyeye P2P updated, fortifying the botnet
Botnet ZeuS, SpyEye, Kelihos, Waledac
Malware Zbot
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
CCProtocol P2P, http
Date 2012 / 23/02/2012
Editor/Conference Symantec
Link http://www.symantec.com/connect/blogs/zeusbotspyeye-P2P-updated-fortifying-botnet (Archive copy)
Author Andrea Lelli


We blogged about a parallel ZeuSbot/SpyEye build near the end of last year that introduced some improvements in the botnet, moving the network architecture away from a simple bot-to-C&C system and introducing the beginnings of a peer-to-peer model. This new variant new uses P2P communication exclusively in order to keep the botnet alive and gathering information.

Previously, every compromised computer was a peer in the botnet and the configuration file (containing the URL of the C&C server) was distributed from one peer to another. This way, even if the C&C server was taken down, the botnet was still able to contact other peers to receive configuration files with URLs of new C&C servers.

With the latest update, it seems that the C&C server has disappeared entirely for this functionality. Where they were previously sending and receiving control messages to and from the C&C, these control messages are now handled by the P2P network.

This means that every peer in the botnet can act as a C&C server, while none of them really are one. Bots are now capable of downloading commands, configuration files, and executables from other bots—every compromised computer is capable of providing data to the other bots. We don’t yet know how the stolen data is communicated back to the attackers, but it’s possible that such data is routed through the peers until it reaches a drop zone controlled by the attackers.

While these changes make the botnet more resistant to takedown, and equally more difficult to track the attackers behind it, it also provides another major benefit to the attackers. ZeuStracker is a site which has had considerable success in tracking and publishing IP block lists for ZeuS C&C servers around the world. With ZeuS switching to P2P for these functions means that the site would no longer be able to produce exact ZeuS C&C IP block lists.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR898,
   editor = {Symantec},
   author = {Andrea Lelli},
   title = {ZeuSbot/Spyeye P2P updated, fortifying the botnet},
   date = {Error: Invalid time.},
   month = Error: Invalid time.,
   year = {2012},
   howpublished = {\url{http://www.symantec.com/connect/blogs/zeusbotspyeye-P2P-updated-fortifying-botnet}},