The Italian Honey Project

Symantec has recently blogged about a new version of the P2P variant of the Zeus/SpyEye trojan.

Below some of the most interesting new features:

Communication channel

P2P seems to be the new botnet architecture instead of the old central C&C which has been preferred until now.  This change will dreastically impact on all the monitoring techniques/tools  that are currently used nowadays to face Zeus and SpyEye. Takedown methodologies will also be affected to this new feature.

UDP instead of TCP

A proprietary UDP handshake (port-knocking) is used to establish the communication between the bot and its peers, AND (controversially to its previous version) exchange data between them i.e. configuration files.

Changes in the compression and encryption

The main encryption scheme has not changed from the Zeus 2.x versions ( XOR+RC4), however, a new encryption layer has been added which consist in  a byte-per-byte XOR applied to each block of the configuration.
The pseudo code follows:

XorKey = ((BlockSize << 0x10) | BlockId) | (XorSeed << 8 )

Lastly,  the usual Nrv2b compression has switched to the Zlib 1.2.5 one.

Any node can now provide malwares

Due to the nature of a de-centralized network, now every node can act as the main C&C thanks to a nGinx minimal webserver which every bot comes with.

To note that -controversially to previous Zeus and SpyEye versions- some of the bots observed by Symantec were distributing malware binaries too.