Symantec says that Cyber Crooks make ZeroAccess more Durable against External Attacks

According to security firm Symantec, malware creators are continuously developing their formations with the creators of infamous ZeroAccess Trojan as no exception. In late June (2013), Symantec security researchers marked some important changes in the ZeroAccess P2P (peer-to-peer) communication protocol that made the threat increasingly robust and resilient in opposition to exterior manipulation.

ZeroAccess Trojan has been employing the User Datagram Protocol (UDP) since the second quarter of 2012 and it has UDP based networks which work on ports 16464 and 16465 and uses ports 16470 and 16471.

Generally both the networks are updated at about the same time but this time just P2P network that works on ports 16464 and 16465 has been enhanced. HELP NET SECURITY published the reports of researchers on 22nd August, 2013 as stating "Most of the changes of code by the authors of ZeroAccess in this update seem to be in response to a published research on ZeroAccess or other seeming weaknesses which authors found in the code. These changes also confirm that ZeroAccess continues to be developed and remain a threat."

In the latest version, following changes have been made: Figure of supported P2P protocol messages have been reduced from three to two. A secondary internal list of peer is currently used which can embrace over 16 million peer IP addresses which is up from 256 IP addresses. The secondary internal list of peer is stored as Windows NTFS alternate data stream. Also the logic of how a ZeroAccess peer will contact other peers has been tailored. Symantec highlights that checking of Errors and timeouts have been added to the nasty file download TCP links.

Apparently these changes have been designed to protect against denial-of-service attack where a rogue peer attempts to trick a ZeroAccess peer into downloading a large number of files from a rogue peer which would also deliver the data of file slowly.

Finally, other malware authors are also making modifications to their formations and experts have observed that the P2P version of Zeus uses a new range of UDP Port. The modifications have come in reply to a study published by CERT (computer emergency response team) Poland.

» SPAMfighter News - 8/30/2013