A new version of the Zeus malware has appeared, and this does not seem to be a minor upgrade, but a major custom version of the Trojan, which now sports a P2P capability that does away with the use of the domain-generation algorithm used in earlier versions and instead uses a hardcoded list of IP addresses to provide infected PCs with new software and config files. This is a throwback to the way the malware used to behave, but it comes with a twist: There no longer is a master URL that infected machines contact to get updates, making it much more difficult to track the Trojan’s activities.


The version of Zeus discovered recently by the Swiss Abuse.ch group implements this strategy through the inclusion of a built-in list of IP addresses that each newly infected PC should try to contact in order to receive instructions and updated configuration files. The new bot does this by sending out UDP packets on a high-numbered port, looking for like-mided peers. If one responds, the new bot will get a new list of IPs of other infected PCs in the botnet. The version of Zeus also can remotely check which version of the malware is running on remote PCs and download an updated version, if necessary, the researchers said in a blog post analyzing the Zeus update.


“At first glance these are bad news. But fortunately the new mechanism also has benefits: There is just one ZeuS C&C active at the same time, so every time the domain name gets suspended/terminated, the criminals have to push out a new config file.”

via P2P Version of Zeus Botnet Appears | threatpost.

Nessun commento.

Aggiungi il tuo commento