New Zeus/SpyEye makes bots function as C&C servers

[Free CISSP Exam Study Guide] Get expert advice that will help you pass the CISSP exam: sample questions, summaries of all 8 CISSP domains and more!

The latest build of the Zeus/SpyEye malware shows a change that could very well hamper the security researchers’ ability to take down the botnets using it and to find out the criminals behind them.

According to Symantec researchers, a previous build already moved towards replacing the bot-to-C&C system with peer-to-peer capabilities so that the bots receive configuration files from other bots, and this new one has finalized the transition.

“This means that every peer in the botnet can act as a C&C server, while none of them really are one,” say the researchers. “Bots are now capable of downloading commands, configuration files, and executables from other bots – every compromised computer is capable of providing data to the other bots. We don’t yet know how the stolen data is communicated back to the attackers, but it’s possible that such data is routed through the peers until it reaches a drop zone controlled by the attackers.”

Apart from making such a botnet practically immune to a takedown, the move has also the added benefit of making the tracking and blocking of IP addresses of the C&C servers obsolete.

In order for the peers to act as a C&C server of sorts, the bot now includes nGinx, an open source Web server, which makes it capable of handling HTTP requests. And those requests are not longer used only for exchanging configuration files, but also to make bots download additional malware (fake AV) and software (proxy engine).

The compression and encryption techniques used for hiding the bots from AV solutions and researchers haven’t changes much with the new strain, but the exchange of data between bots now mostly happens through UDP communication, while previously TCP was used.

The researchers say that the change has likely occurred due to the fact that TCP communications are easy to track and dump, and allow anyone to impersonate a bot and successfully communicate with other bots.

“Zeus’s main infection vector is emails containing malicious attachments, pretending to look like documents. As usual be wary of emails received from unknown recipients, and never to open files received from unknown sources,” they warn.