A while ago a group of researchers has analyzed and tested the resilience of P2P botnets, and has discovered that while Zeus and Sality botnets are highly resilient to sinkholing attacks, Kelihos and ZeroAccess botnets have weaknesses that can be used to disrupt them.
Earlier this month Sophos researchers have discovered new variants that use new techniques to assure its persistency on the affected computers, and now Symantec researchers say that they have spotted a change in the malware’s use of the P2P communication protocol.
“On June 29, 2013, we noticed a new module being distributed amongst ZeroAccess peers communicating on the UDP-based peer-to-peer network that operates on ports 16464 and 16465,” they noted. “ZeroAccess maintains a second UDP-based network that operates on ports 16470 and 16471. ZeroAccess peers communicate to other peers connected to the same network; peers do not communicate across networks.”
They also made some other changes to the peer-to-peer functionality to decrease the likelihood of outsiders taking control of the botnet, including the introduction of a secondary internal peer list – stored as a Windows NTFS alternate data stream – that can hold over 16 million peer IP addresses instead of the previous 256, and a different logic according to which the peer chooses to contact other peers.
It’s interesting to not that while this code changes are already available on the UDP 16464/16465 peer network, they have not been yet implemented on the UDP 16470/16471 network.
“Most of the code changes made by the ZeroAccess authors in this update seem to be in response to published research on ZeroAccess or other perceived weaknesses the authors found in the code. These changes are also further evidence that ZeroAccess continues to be actively developed and remains a threat,” the researchers say.
If you are interested in more technical details about all the changes and how they prevent the exploitation of earlier vulnerabilities, I warmly recommend the researchers’ original blog post.