Evolution of Zeus Botnet Part 3
Zeus, version 3 – Gameover
In the version of Zeus 2.1 was an attempt to get away from the hard-coded command center and move to a more protected from the actions of the anti-virus companies control system (using DGA). As it turned out, the creators of Zeus continued his studies in the field.
In October 2011, Roman Huessy, creator ZeusTracker, exploring the latest version received Zeus, noted the presence of a strange UDP-traffic. Further analysis showed that the new version of Zeus had several IP-addresses in the configuration block, and computers with these IP answered infected system. Within 24 hours it was revealed about 100,000 unique IP addresses, which is related to a new version. Most of the infected computers were located in India, Italy and the U.S..
Since it was found that Zeus started using P2P update mechanism itself and its data blocks configuration. Because of the use of the name gameover.php script when handling command center for this version of the name used Gameover Zeus. This is a rather symbolic – as can be seen, the ‘game’ with Zeus has ended.
Mechanism Zeus P2P (ZP2P) based on the protocol of Kademlia. Computer (host) on the network ZP2P identified a unique identifier (UID), which was created during the first run. Each instance of Zeus in ZP2P had a ‘neighbor table’ that is stored in memory. This array contains a list of about 30 neighboring nodes in the network ZP2P – their UID, IP-address and port number of UDP. In ZP2P network used several types of connections:
- to exchange information about the version of the data configuration (UDP);
- to exchange information about the nodes in the ‘table of neighbors’ (UDP);
- to exchange binary data – the main module and configuration data (using the protocol TCP).
DGA has undergone some changes, in particular, the top-level domain is 6 – ru, com, biz, info, org, net (source). DGA was used as a ‘safety’ option, if the connection could not be established by ZP2P. In the end, the data blocks configuration available only through ZP2P, making it difficult to identify control center. By the way, the control center is now longer a repository of stolen information and statistics than the panel to return bot commands.
In February 2012, researchers at Symantec discovered another version Zeus, using ZP2P. This modification contains a built-in web-based server Nginx. Communication protocols ZP2P began using only UDP, for the difficulty of tracing data flows Zeus. Now the boat was able to download executable files over HTTP from other bots. Thus, each boat could act as a kind of command center, or to act as an intermediary (proxy) in the chain of command. The same technique is used in the botnet Waledac / Kelihos version C, reborn at the beginning of 2012 – two years after the closing, with the assistance of Microsoft and a number of security companies in 2010.
Interestingly, the botnet ZP2P used to spread malicious two-party programs – fake antivirus and proxy server, which previously for Zeus did not notice. To assess the incidence of extreme version of Zeus, Symantec experts have made monitoring network ZP2P. In the period from April to July 2012 there were 678.205 and 1.570.871 unique UID unique IP. Not all of the IP data were available, due to being at the firewall or nat. Moreover, ISPs use dynamic pool of addresses, so a single UID can relate different IP addresses from the pool. The greatest number of infections were in the U.S. (29.2%).
As before, the main source of infection had been writing with links to malicious websites, often the request is redirected to the browser exploit pack BlackHole. Because of that malware occurs without any user (other than viewing an infected site). But this time BlackHole loaded on your computer not the P2P Zeus, a Trojan downloader (trojan downloader) Pony. Pony is another crimeware, basic function – to download and run malicious software to bypass antivirus protection. Pony has its own adminpanel that displays the statistics of successful downloads and launches. Thus, the installation of P2P Zeus in the following manner:
- user receives an email with a link to a malicious site;
- by going to this site, BlackHole trigger the loader Pony on your computer;
- Pony contacts his command server and receives instructions to download, in fact, file – Zeus (from three different servers).
Apparently, Zeus developers have worked hard to improve the management of their ‘offspring’. Management arrangements were several stages in its development:
- hard-coded servers (ver 1 and 2);
- use DGA to access dynamically created domain names (ver 2.1 or 2 +);
- DGA and hybrid circuit P2P, where boats were associated with each other and the – server (version 3 or Gameover Zeus);
- Only P2P, command centers are no longer needed (ver 3 +).