Feeds

Peer-to-peer update makes ZeuS botnets harder to take down

Not your father's zombie network

Beginner's guide to SSL certificates

A new strain of the ZeuS crimeware toolkit comes with a peer-to-peer design that lets infected machines bypass centralized servers when receiving updates and marching orders from operators, a researcher said.

The update to a custom-built ZeuS variant known as Murofet could make it harder for white-hat hackers and law-enforcement agents to disrupt botnets by eliminating centralized command and control servers they infiltrate or shut down, said the the researcher with Zeus Tracker, which monitors botnet communications. The researcher, who asked that his name not be included in this article, recently counted machines from more than 100,000 unique IP addresses infected by the custom build.

Zombies under the control of Murofet come with an initial list of IP addresses to query. They send UDP packets to those destinations over high-numbered ports and wait for fellow bots to respond with additional addresses that are also a part of the p2p network.

If the remote node is running a more recent version of the bot software, it then updates the other machine using a TCP connection. The p2p feature was added around the same time the malware scaled back its reliance on a domain generation algorithm, that allowed bots to connect to custom-registered domain names on specific dates.

The new capability gives the ZeuS offshoot p2p capabilities similar to those that Waledac, TDL-4, and other botnets have boasted for years. With the many other advanced features offered by ZeuS, it's surprising it didn't add it years ago.

The new architecture means Murofet no longer uses a static URL to download binary updates and configuration files, and that's likely to make the job of some researchers harder. But despite the new design, the ZeuS malware remains vulnerable, because it still relies on a central domain and falls back on the domain generation algorithm in the event connections to the main command server and p2p drones is lost.

"Its not impossible to track it, but its more difficult than before," the researcher told The Register over instant messenger. "I would say it makes tracking of ZeuS just more complicated but its not *the new super trojan*." ®

Intelligent flash storage arrays

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Shellshock over SMTP attacks mean you can now ignore your email
'But boss, the Internet Storm Centre says it's dangerous for me to reply to you'
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Business security measures using SSL
Examines the major types of threats to information security that businesses face today and the techniques for mitigating those threats.