New 'headless' Zeus botnet found

Cybercriminals may have gotten another step ahead of cybersecurity firms with a modified version of the Zeus computer Trojan.

 

Symantec researchers said the modified ZeuS Trojan no longer relies on command and control (C&C) servers to get instructions.

 

"With the latest update, it seems that the C&C (command and control) server has disappeared entirely for this functionality. Where they were previously sending and receiving control messages to and from the C&C, these control messages are now handled by the P2P (peer-to-peer) network," researcher Andrea Lelli said in a blog post.

 

Lelli said this means every peer in the botnet can act as a C&C server, while none of them really are one.

 

Bots are now capable of downloading commands, configuration files, and executables from other bots.

 

This way, Lelli said every compromised computer is capable of providing data to the other bots.

 

"We don’t yet know how the stolen data is communicated back to the attackers, but it’s possible that such data is routed through the peers until it reaches a drop zone controlled by the attackers," Lelli said.

 

Also, such changes make the botnet more resistant to takedown, and equally more difficult to track the attackers behind it.

 

Symantec also noted communication has shifted more and more to UDP from TCP, as TCP communications are easy to track and dump.

 

It said the new strain has the data exchange happening in UDP, so it is more difficult to capture and extract data from bot communications.

 

Zeusbot distributing malware?

 

Lelli said one interesting thing about the new variant is that the Zeus botnet has been distributing malware.

 

"The bots communicate with other peers, issuing HTTP requests to download and run two executables. These executables are hosted by other peers in the botnet, and after analysis we discovered they are a fake antivirus risk and a proxy engine," Lelli said.

 

"This is unusual; we don’t have records of Zeusbot distributing other malware, although it is technically capable of doing so," Lelli added.

 

Not completely gone?

 

Still, Lelli said this does not mean the new strain is completely gone—the bot may still decide to contact a C&C server under specific conditions such as when there is stolen data to communicate back to the attackers.

 

"If they managed to completely remove C&C servers then this can be considered a step towards strengthening the botnet. If it only operates through P2P, it becomes nearly impossible to track the guys behind it. Again, analysis is still ongoing, so we are working on uncovering this part of the mystery to figure out the full picture," Lelli said. — TJD, GMA News