[..]In the new version of the Trojan, the authors focus on eliminating the weakest link – a centralized system of information distribution.
Previous versions of Zeus were based on one (or few) predefined addresses which were used for botnet management. This allowed for relatively easy tracking and blocking of servers, thus rendering the botnet useless. However, the analysed variant of the Trojan used two new channels of communication to receive orders (figure on right):

1. Communication in a peer-to-peer network
2. Domain names Generation Mechanism

This variant has been analyzed to some extent by other researchers before – there is information on the web on the new variant of Zeus (eg abuse.ch ), however – based on our knowledge – previous research has focused on registering and monitoring traffic to Zeus domains. In our work we focus on understanding the P2P network communication mechanisms, mapping out the network, and monitoring the exchange of information in this particular network. [..]

via CERT Polska » Blog Archive » ZeuS – P2P+DGA variant – mapping out and understanding the threat.

A new version of the Zeus malware has appeared, and this does not seem to be a minor upgrade, but a major custom version of the Trojan, which now sports a P2P capability that does away with the use of the domain-generation algorithm used in earlier versions and instead uses a hardcoded list of IP addresses to provide infected PCs with new software and config files. This is a throwback to the way the malware used to behave, but it comes with a twist: There no longer is a master URL that infected machines contact to get updates, making it much more difficult to track the Trojan’s activities.

[..]

The version of Zeus discovered recently by the Swiss Abuse.ch group implements this strategy through the inclusion of a built-in list of IP addresses that each newly infected PC should try to contact in order to receive instructions and updated configuration files. The new bot does this by sending out UDP packets on a high-numbered port, looking for like-mided peers. If one responds, the new bot will get a new list of IPs of other infected PCs in the botnet. The version of Zeus also can remotely check which version of the malware is running on remote PCs and download an updated version, if necessary, the researchers said in a blog post analyzing the Zeus update.

[..]

“At first glance these are bad news. But fortunately the new mechanism also has benefits: There is just one ZeuS C&C active at the same time, so every time the domain name gets suspended/terminated, the criminals have to push out a new config file.”

via P2P Version of Zeus Botnet Appears | threatpost.

The fact that TDL-4 code shows active development — a rootkit for 64-bit systems, the malware running prior to operating system start launches, the use of exploits from Stuxnet’s arsenal, P2P technology, its own ‘antivirus’ and a lot more — place TDSS firmly in the ranks of the most technologically sophisticated, and most complex to analyze, malware.

via TDL4 – Top Bot – Securelist.

The takedown of the Waledac botnet that Microsoft executed this week – known internally as “Operation b49” – was the result of months of investigation and the innovative application of a tried and true legal strategy.

[..]

In a recent analysis, Microsoft found that between December 3-21, 2009, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts alone, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks and more.

[..]

This action has quickly and effectively cut off traffic to Waledac at the “.com” or domain registry level, severing the connection between the command and control centers of the botnet and most of its thousands of zombie computers around the world.

via The Official Microsoft Blog – Cracking Down on Botnets.

Well done.