On new generation of P2P botnets

Pierluigi Paganini June 18, 2012

Zeus is one of the longest-running malware that raged for months, appearing in various forms on the web thanks to the continuous changes made by the cybercrime industry.

This time the news is really interesting, Symantec security researchers have detected a new variant of Zeus that not relies on command and control (C&C) servers for receiving commands.

The great diffusion of the malware in the cybercrime underground is due the different development services born to modify the agent for specific purposes. The source code of the malware was published on internet underground giving the opportunity to third-party organization to modify it implementing the crime to crime model (C2C) that we have defined in the past as “malware as service“.

Zeus is a malware used mainly to steal information, such as bank credentials, from the infected PCs. At the end of 2011 it has been identified a new Zeus variant that uses P2P communication to transfer commands from compromised hosts in a botnet. Symantec experts have discovered the bot spreads through fake antivirus programs.

The interesting feature is that P2P communication is used as a backup system in case the C&C servers are not reachable.

Really interesting is the concept of auto “self-sufficient”, peer networks in which each node can operate as a slave or as master giving orders to other PC operating and exchanging information acquired illegally by the victims.

The last variant isolated by Symantec doesn’t use C&C servers implementing an autonomous botnet, the experts Andrea Lelli declared:

“Every peer in the botnet can act as a C&C server, while none of them really are one,””Bots are now capable of downloading commands, configuration files, and executable from other bots — every compromised computer is capable of providing data to the other bots,”


In similar botnet, each bot works as a Web server thanks to the presence of nGinx,  minimal Web server, that equips the malware. The communications between the nodes in the network are based on HTTP protocol.  The new type of botnet is really worrysome because it is hard to fight due the absence of  point of failure represented in a classic botnet architecture by the C&C servers, distribuited peer networks are so very difficult to identify. Tracking systems such as ZeusTracker are not able to track this variant due the impossibility to add the complete list of components of a P2P network instead only the IP addresses of C&C servers.

To avoid tracking and dump of traffic the communications mainly uses UDP protocol, because TCP is easily detectable. The bot does not perform any authentication of the packets exchanged, so anyone can impersonate a bot and successfully communicate with other bots, downloading stuff like configuration data, this feature could be used to exploit the network.

The handshake phase between bots is possible using a homemade UDP and after successful connection the nodes start to exchange TCP data (e.g. configuration files, list of other peers, etc.).

What is still a mystery is how the information is received by botmaster, that’s why analysis is still ongoing. It has been argued that specific conditions can trigger the communication with a specific server to transfer for example the stolen information. Preliminary researches suggest that stolen information are still transmitted back to botmasters using classic methods rather than relayed through the P2P network.

The Zeus case is not isolated, recently Kaspersky Lab, in collaboration with CrowdStrike Intelligence Team, Dell SecureWorks and members of the Honeynet Project, dismantled the second Hlux botnet (aka Kelihos).

This botnet had scary size, it has been estimated it was three times larger than the first botnet Hlux / Kelihos dismantled in September 2011. After only 5 days from the transaction, Kaspersky Lab had already neutralized more than 109,000 infected hosts. It is estimated that the first botnet Hlux / Kelihos had only 40,000 infected systems.

The event has demonstrated how is becoming hard to tackle the new generation of botnets, due the usage of the peer-to-peer technology also implemented in Kelihos. The new variants of malware incorporate P2P technology to eliminate the need for a C&C server, avoiding detection and the immunization campaigns to decapitate the malicious networks.

To provide another example of botnets we can remind the Alureon / TLD4 botnet that can survive indefinitely in the absence of its C&C servers making difficult their detection.

The new trend in the development of the botnet is to provide them the capability to be “independent” from control servers, surviving and becoming anonymous for long periods, infecting many machines.

The battle is difficult, the changes observed in botnet scenario being the result of a development model of malware that has nothing to envy to the development of products of the legal industry.



Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment