New ZeuS Botnet No Longer Needs Central Command Servers

c0mpliant writes "Researchers at Symantec have identified a new variant of the ZeuS botnet which no longer requires a Command and Control server. The new variant uses a P2P system, which means that each bot acts like a C&C server, but none of them really are. The effect of which is that takedowns of such a network will be extremely difficult because there is no one central source to attack."

Re:They still need a C&C

[Ramin_HAL9001]

But on the other hand, you still need to issue commands to the C&C. If you can figure out the communication protocol used to assign C&C powers to a node, then security researchers can easily toss-out the command to become a C&C to all nodes and then sink-hole it.

Further, I am not aware of any way to encrypt communications between the botnet's controllers and the botnet's nodes because every node will need to have the private key to decrypt incoming communications. So anyone can analyze a node and just pick out the private key, and then start issuing commands to it as though they were the operators. It just adds bulk to the botnet code, and doesn't prevent anyone from sink-holing it.

I think the real difficulty is simply containment. If the virus is designed to spread as rapidly as possible, then you need to spend a lot of time finding nodes and taking control of them to shut them down. I think the designers of ZueS are counting on that, and hope sheer numbers will be better than more precise control.