Cybercriminals are using a modified version of the ZeuS computer Trojan that no longer relies on command and control (C&C) servers for receiving instructions, according to Symantec security researchers.
ZeuS is very popular in the cybercriminal world because it’s capable of stealing a wide variety of information, documents and login credentials from infected systems. For many years it was the weapon of choice for most fraudsters targeting online banking systems.
The Trojan’s source code was published on Internet underground forums last year, paving the way for many third-party modifications and improvements.
In November 2011, security researchers identified a heavily modified ZeuS variant capable of relaying attacker commands from one compromised host to another, in a peer-to-peer-like (P2P) fashion.
That version of the Trojan still connected to a C&C server for dropping stolen data and receiving instructions, but used the P2P system as a fallback mechanism in case the server went down.
However, a new variant recently detected by antivirus vendor Symantec has completely removed the need for C&C servers. “Every peer in the botnet can act as a C&C server, while none of them really are one,” Symantec researcher Andrea Lelli said in a blog post Wednesday.
“Bots are now capable of downloading commands, configuration files, and executables from other bots — every compromised computer is capable of providing data to the other bots,” she said.
In order to implement this functionality, the creators of this ZeuS variant have incorporated the nginx Web server into the Trojan, allowing every infected computer to receive and send data over the HTTP protocol.
This makes their botnet more resilient to takedowns, because there’s no longer a single point of failure for security researchers to target, and it also prevents botnet tracking systems like ZeusTracker from doing their job.
“Zeustracker is a site which has had considerable success in tracking and publishing IP block lists for Zeus C&C servers around the world,” Lelli said, adding that Zeus’ switch to P2P for these functions means that the site would no longer be able to produce exact Zeus C&C IP block lists.
Organizations rely on such lists to block ZeuS traffic at the network level in order to prevent this malware from exfiltrating sensitive data. Monitoring connection attempts for the C&C IP addresses also helps companies identify compromised computers within their networks.
Symantec researchers have seen this new ZeuS variant distributing malware like fake antivirus programs. However, they have yet to figure out how it sends the captured information back to the attackers in the absence of C&C servers.
“Analysis is still ongoing, so we are working on uncovering this part of the mystery to figure out the full picture,” Lelli said.