This time the news is really interesting, Symantec security researchers have detected a new variant of Zeus by that not relies on command and control (C&C) servers for receiving commands.
The great diffusion of the malware in cybercrime underground is due the different development services born to modify the agent for specific purposes. The source code of the malware was published on internet underground giving the opportunity to third-party organization to modify it implementing the crime to crime model (C2C) that we have defined in the past as “malware as service“.
Zeus is a malware used mainly to steal information, such as bank credentials, from infected pc. At the end of 2011 it has been identified a new Zeus variant that uses P2P communication to transfer commands from compromised hosts in a botnet. Symantec experts have discovered as spread mechanism the distribution of fake antivirus programs.
The interesting feature is that P2P communication is used as a backup system in case the C&C servers are not reachable.
Really interesting is the concept of auto “self-sufficient”, peer networks in which each node can operate as a slave or as master giving orders to other PC operating and exchanging information acquired illegally by the victims.
The last variant isolated by Symantec doesn’t use C&C servers implementing an autonomous botnet, the experts Andrea Lelli declared:
“Every peer in the botnet can act as a C&C server, while none of them really are one,”
“Bots are now capable of downloading commands, configuration files, and executable from other bots — every compromised computer is capable of providing data to the other bots,”
In similar botnet, each bot works as a Web server thanks to the presence of nGinx, minimal Web server, that equips the malware. The communications between the nodes in the network are based on HTTP protocol. The new type of botnet is really worrysome because it hard to fight due the absence of point of failure represented in a classic botnet architecture by the C&C servers, distribuited peer networks are so very difficult to identify. Tracking systems such as ZeusTracker are not able to track this variant due the impossibility to add the complete list of components of a P2P network instead only the IP addresses of C&C servers.
To avoid tracking and dump of traffic the communications mainly use UDP protocol, because TCP is easily detectable. The bot does not perform any authentication on the packets exchanged, so anyone can impersonate a bot and successfully communicate with other bots, downloading stuff like configuration data, this feature could be used to exploit the network.
The handshake phase between bots is possible using a homemade UDP and after successful connection the nodes start to exchange TCP data (e.g. configuration files, list of other peers, etc).
What is still a mistery is how the information are received by botmaster, that’s why analysis are still ongoing. It has been hyphotized that specific conditions can trigger the communication with a specific server to transfer for example the stolen information. Preliminary researches suggest that stolen information are still transmitted back to botmasters using classic methods rather than relayed through the P2P network.
The Zeus case is not isolated, recently Kaspersky Lab, in collaboration with CrowdStrike Intelligence Team, Dell SecureWorks and members of the Honeynet Project, dismantled the second Hlux botnet (aka Kelihos).
This botnet had scary size, it has been estimated it was three times larger than the first botnet Hlux / Kelihos dismantled in September 2011. After only 5 days from the transaction, Kaspersky Lab had already neutralized more than 109,000 infected hosts. It is estimated that the first botnet Hlux / Kelihos had only 40,000 infected systems.
The event has dimonstrated how is becoming hard o tackle new generation of botnets, due the usage of the peer-to-peer technology also implemented in Kelihos. The new variants of malware incorporates P2P technology to eliminate the need for a C&C server, avoiding detection and the immunization campaigns to decapitate the malicious networks.
To provide another example of botnets we can remind the Alureon / TLD4 botnet that can survive indefinitely in absence of its C&C servers making difficult their detection.
The new trend in the development of botnet is to provide them the capability to be “independent” from control servers, surviving and becoming anonymous for long periods, infecting many machines.
The battle is difficult, the changes observed in botnet scenario are the result of a development model of malware that has nothing to envy to the developement of products of legal industry.