Zeus Botnet Variant Employs P2P Network Architecture

It has been observed recently that a new version of the Zeusbot/Spyeye botnet is employing peer-to-peer (P2P) network architecture instead of a simple bot for command-and-control (C&C) server system, as reported by the security firm, Symantec.

While disclosing the feasibility of this new variant, Symantec's security expert, Andrea has further informed that the new architecture is specialized to remain active even on course of shutting down of the network, as published by infosecurity-magazine.com on February 22, 2012.

As such, it seems that the new Zeus/Spye variant have completely discarded the C&C server and using P2P network more rampantly.

This actually indicates that every peer in the botnet is capable to function as a C&C server virtually, although in reality, none exists. Bots competitively are renewed with the capability of configuring files and executables from other bots and downloading commands. However, Lelli elaborated the fact that all the compromised systems are even capable of gathering and providing data to other bots.

While executing this particular functionality, the Zeus variant writers have tactfully integrated the nginx Web server into the Trojan, due to which, all the compromised computers could receive and send data over the Hypertext Transfer Protocol (HTTP) protocol.

Due to this new variability, there holds very little possibility for security researchers to target the attackers. It also inhibits the botnet tracking systems from carrying out their functionality.

The changes prove advantageous to the attackers as it hardly leaves any clue to track the attackers. The operation of specific websites is hampered due to the disruption in the tracking system and hinders publishing the IP block lists for Zeus C&C servers throughout the world. While elaborating the matter, experts at Symantec hold the view that due to the switch over of Zeus with P2P, the sites for producing exact Zeus C&C IP block lists are hindered.

Organizations are highly anticipating lists for blocking the Zeus traffic at the network level itself and prevent it from infiltrating sensitive data and circulating malware. Scrutinizing the connection attempts also facilitate experts with the C&C IP addresses and thus lead towards identifying compromised computers.

Malicious attachment in e-mails that resembles documents is the basic infection vector by Zeus. Thus, in conclusion, the security firm recommends net users to remain vigilant with e-mails and avert oneself from opening mails from strangers, reports net-security.org on February 22, 2012.

Related article: Zeus Trojan Stole Huge Amount of Information

» SPAMfighter News - 2/28/2012