ZeuS Gains More Power

Friday, October 14, 2011 @ 03:10 PM gHale

There is a customized variant of ZeuS that no longer uses a Domain Generation Algorithm (DGA) to determine the currently active C&C domain.

“The *new* version of ZeuS (v3?) implements a Kademlia-like P2P botnet. Similar to the Miner botnet, ZeuS is now using an “IP list,” said security expert Roman Hüssy. “This list contains IP addresses of other drones participating in the P2P botnet. An initial list of IP addresses is hardcoded in the ZeuS binary.”

Chrome Update Repairs Microsoft Alert
Old Browser Plug-ins Big Attack Target
A Trojan Distribution Network
ZeuS Spin Off Hits Cyber Street

The interesting thing about the Trojan is it only uses DGA if everything else fails. Because HTTP only receives commands from the botnet master and for dropping the stolen data to the drop zone, BinaryURL and ConfigURL are not necessarily present, which means it is harder to track.

When it lands on a computer, it will immediately look for an active node by sending UDP packages. If it finds such a node, it will reply with a list of IPs that take part in the peer-to-peer network (P2P). After getting information on the binary and config versions utilized, it will check for a recent form which allows him to connect to the node via a TCP high port to download the updated binary or the current config file. Finally, the HTTP bit steps in and the bot connects to the C&C domain listed in the configuration file.

The research further shows that India currently has the most infected systems, Italy and the U.S. closely following.

The expert advises security experts to keep a close eye for strings such as gameover.php, gameover2.php or gameover3.php in the web proxy log, which indicate the presence of ZeuS’ new variant.

Hüssy said Slavik, the original creator of the malware, is still the one pulling the strings and by launching such alternatives he hopes to attract less attention from authorities while increasing his incomes.

“Slavik probably dropped this business and released the source code for public to get out of this situation,” Hüssy said. “But I believe that he is still developing on ZeuS, but only custom build(s) for a small circle of customers who are able to pay a lot more money that small fishes.”

Leave a Reply

You must be logged in to post a comment.