Zeus Trojan Gains Peer-to-Peer Functionality

Thursday, October 13, 2011



Swiss security expert Roman Hssy has discovered variants of the Zeus banking Trojan that have a newly added peer-to-peer (P2P) functionality, making the malware more resistant to mitigation efforts.

The Zeus Trojan is widely hailed as one of the most dangerous pieces of malware to ever surface in the wild, and numerous variants of the malicious code, continue to propagate.

The Zeus Trojan can lay dormant for long periods until the user of the infected machine accesses accounts such as those used for online banking. Zeus harvests passwords and authentication codes and then sends them to the attackers remotely.

"A few weeks ago I've noticed that no new murofet/LICAT C&C [command and control] domain names have been registered by the criminals. I was a little bit confused and decided to analyse a recent Zeus sample (spread through a Spam campaign targeting US citizens)," Hssy wrote.

Further investigation by Hssy lead to a startling discovery:

"When I ran the binary in my sandbox, I've seen some weird UDP traffic. My first guess was: This is not ZeuS. But after I've analysed the infection I came to the conclusion that it is actually ZeuS," Hssy said.

Hssy discovered that when a system is infected with the new varient, it contacts a series of IP addresses and self-updates with new versions of the infection.

The trojan still only receives command and control information from one domain at a time, allowing mitigation by blocking the control domain until the malware updates with a new command and control via the P2P functionality, a method called "sinkholing".

The largest number of infected systems are located in the U.S., India and Italy, thus far. 

In August, researchers at Trusteer discovered evidence that the Zeus code had been combined with the Ramnit worm to produce a more sophisticated malware tool capable of a web injection using a man-in-the-browser (MitB) type of attack.

The Ramnit worm is not particularly dangerous in and of itself, but it may be lending the Zeus Trojan the ability to propagate over networks, a feature it has thus far lacked.

Trusteer also reported earlier this year that an increasing number of websites are known to host Zeus variants, and the report also shows that a growing number of networks are hosting command and control operations for Zeus-based botnets.

Researchers at Trend Micro also recently revealed that a Zeus Trojan designed specifically to run on the Blackberry operating system has been detected.

"We all know that the fight between criminals and security researchers is a cat and mouse game. I'm sure this wasn't the last change made to ZeuS and we will continue to see efforts from criminals to make their malware stay more under the radar," Hssy said.

Source:  http://www.computerworld.com/s/article/9220755/Zeus_Trojan_P2P_update_makes_take_downs_harder

Possibly Related Articles:
Viruses & Malware
Trojans malware Botnets P2P Banking Cyber Crime Zeus Ramnit
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.