Malware has Bots Acting as C&C Server

Thursday, February 23, 2012 @ 04:02 PM gHale

The latest Zeus/SpyEye malware changed to a point where researchers’ will have a very difficult time taking down the botnets using it.

A previous version already moved toward replacing the bot-to-C&C system with peer-to-peer capabilities so the bots receive configuration files from other bots, and this new one finalized the transition Symantec researchers said.

Stealth Trojan Hijacks DLL File
New Bot a Phishing Attack
DNS Flaw has Users Seeing Ghosts
Malnets a Constant Moving Target

“This means that every peer in the botnet can act as a C&C server, while none of them really are one,” the researchers said. “Bots are now capable of downloading commands, configuration files, and executables from other bots — every compromised computer is capable of providing data to the other bots. We don’t yet know how the stolen data is communicated back to the attackers, but it’s possible that such data is routed through the peers until it reaches a drop zone controlled by the attackers.”

Apart from making such a botnet practically immune to a takedown, the move has also the added benefit of making the tracking and blocking of IP addresses of the C&C servers obsolete.

In order for the peers to act as a C&C server of sorts, the bot now includes nGinx, an open source Web server, which makes it capable of handling HTTP requests. Those requests are no longer used only for exchanging configuration files, but also to make bots download additional malware (fake AV) and software (proxy engine).

The compression and encryption techniques used for hiding the bots from AV solutions and researchers have not changed much with the new strain, but the exchange of data between bots now mostly happens through UDP communication. It previously used TCP.

The researchers said the change has likely occurred due to the fact TCP communications are easy to track and dump, and allow anyone to impersonate a bot and successfully communicate with other bots.

“Zeus’s main infection vector is emails containing malicious attachments, pretending to look like documents,” the researchers said.

Leave a Reply

You must be logged in to post a comment.