Feeds

Peer-to-peer update makes ZeuS botnets harder to take down

Not your father's zombie network

The essential guide to IT transformation

A new strain of the ZeuS crimeware toolkit comes with a peer-to-peer design that lets infected machines bypass centralized servers when receiving updates and marching orders from operators, a researcher said.

The update to a custom-built ZeuS variant known as Murofet could make it harder for white-hat hackers and law-enforcement agents to disrupt botnets by eliminating centralized command and control servers they infiltrate or shut down, said the the researcher with Zeus Tracker, which monitors botnet communications. The researcher, who asked that his name not be included in this article, recently counted machines from more than 100,000 unique IP addresses infected by the custom build.

Zombies under the control of Murofet come with an initial list of IP addresses to query. They send UDP packets to those destinations over high-numbered ports and wait for fellow bots to respond with additional addresses that are also a part of the p2p network.

If the remote node is running a more recent version of the bot software, it then updates the other machine using a TCP connection. The p2p feature was added around the same time the malware scaled back its reliance on a domain generation algorithm, that allowed bots to connect to custom-registered domain names on specific dates.

The new capability gives the ZeuS offshoot p2p capabilities similar to those that Waledac, TDL-4, and other botnets have boasted for years. With the many other advanced features offered by ZeuS, it's surprising it didn't add it years ago.

The new architecture means Murofet no longer uses a static URL to download binary updates and configuration files, and that's likely to make the job of some researchers harder. But despite the new design, the ZeuS malware remains vulnerable, because it still relies on a central domain and falls back on the domain generation algorithm in the event connections to the main command server and p2p drones is lost.

"Its not impossible to track it, but its more difficult than before," the researcher told The Register over instant messenger. "I would say it makes tracking of ZeuS just more complicated but its not *the new super trojan*." ®

Next gen security for virtualised datacentres

More from The Register

next story
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Linux kernel devs made to finger their dongles before contributing code
Two-factor auth enabled for Kernel.org repositories
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.