Which are the security improvements in the critical update proposed by criminal ecosystem for P2P Zeus Botnet? Fortinet experts detected and analyzed it.
Security experts at Fortinet have uncovered a critical update proposed by criminal ecosystem for P2P Zeus Botnet.
The first P2P Zeus variant was uncovered by Trusteer firm a couple of years ago, it was used in a series of attacks against principal internet service providers and targeting users of popular web services including Facebook, Hotmail,Yahoo and Google Mail.
Zeus has evolved since the leak of its source code in the underground, security experts have discovered different versions, including 64bit instances and variant able to exploit Tor network to hide their C&C.
Zeus P2P, like others, is used mainly for banking fraud due its ability to steal banking credentials from victims, current variant supports both the UDP and TCP protocols.
“Currently, P2P Zeus supports both the UDP and TCP protocols for its various communication tasks including peer list exchange, command-and-control (C&C) server registration, and malware binary updates.” reports the official post.
Fortinet botnet monitoring system discovered that the malware author released a critical update to its P2P botnet. Since the experts started to monitor the Zeus P2P botnet traffic, they have observed that the version number reported in the encrypted update packets is passed from 0x38 (September 2013) to 0x3B (detected on April 8th 2014).
Every P2P Zeus code analyzes the version number from the update packet, and compares it with the one hardcoded in its code to evaluate the necessity to update itself.
The experts at Fortined analyzed the new Zeus P2P critical update noting a few minor changes apart the abilities of the new binary to drop a rootkit driver file into the %SYSTEM32%\drivers folder.
The rootkit was used by malware author to hide the presence of the P2P Zeus and prevents the deletion of its binary and its autorun registry entries.
The discontinuation in the version number suggests to the expert that between the versions there were test versions occasionally appeared in the P2P network, “but they are not being pushed as an update to all peers“.
The new P2P Zeus is more resilient thanks the use of the rootkit, let’s wait for further improvement, the Zeus factory never stops.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.