Slashdot Mirror
New ZeuS Botnet No Longer Needs Central Command Servers
c0mpliant writes "Researchers at Symantec have identified a new variant of the ZeuS botnet which no longer requires a Command and Control server. The new variant uses a P2P system, which means that each bot acts like a C&C server, but none of them really are. The effect of which is that takedowns of such a network will be extremely difficult because there is no one central source to attack."
If my understanding is correct, the entire Zeus network now communicates amongst itself. There's no intermediate sites, IRC channels, twitter accounts, etc.
This also means that any infected machine can act as the C&C. If that machine gets taken down, all the zeus authors need to do is use another node and keep going. It'll be extremely difficult to trace where the commands are genuinely coming from unless they happen to have access to the C&C server that originally sent the command, then hope that some sort of trail has been left - not an easy task, really
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Fasttrack (Kazaa) or skype are not tied down to one server. The only centralized source in those, I believe, it's the log in... But I don't think these require that.
On the other hand, spreading information through the network could be slow, making it less efficient.
The only way the RIAA stopped kazaa was by exploiting their checksum algorithm to difuse bogus info. But I don't think that is an option. On the other hand, it should be possible for anyone to give orders to this botnet if they know the "key" to order them around... But if done right, that should be impossible.(or highly improbable)
Most likely depends on the key scheme they used and how they "protect" it. But standard public key encryption schemes should give anyone a run for their money for a few years...
The article is not wrong. There is no need for a C&C server, which doesn't mean there aren't people with computers controlling it...
That would punish me for running Mac OS X 10.3.9 on my iMac G3. Why should the law require me to use Linux? Hell, with some of the legal suggestions floating around on here, it would be illegal for me to use this machine for anything at all, due to an low watt-per-FLOP ratio.
Slashdotters are killing my childhood, not 4chan.
I think it's worse than that. If it works with the scheme fasttrack (for example) uses, you'd need to get the people behind the computer to actually kill it. Even if they get the original machine, they can just switch places and keep going (since there is no single point of failure, from what I read).
True, but unlike a p2p network a botnet has to be directed. If the network were truly decentralized, any machine could command it, thus anyone could steal it. My guess is that in order to prevent hijacking the commands are signed by the C&C, and then distributed through the network. This way, the origin of the commands becomes very hard to trace, but this method also introduces some vulnerabilities. For example, as each infected machine connects to a number of other ones, getting a list of infected machines would be fairly easy. You just need to deliberately infect a honeypot, and you can already detect a lot of infected machines. So it might be more effective to change tactics and try to remove the infection instead of targetting the head.
The more you press on shady people the more they will work around the restrictions.
Its an endless cat-mouse game. And we are the losers.
---- Booth was a patriot ----
But on the other hand, you still need to issue commands to the C&C. If you can figure out the communication protocol used to assign C&C powers to a node, then security researchers can easily toss-out the command to become a C&C to all nodes and then sink-hole it.
Further, I am not aware of any way to encrypt communications between the botnet's controllers and the botnet's nodes because every node will need to have the private key to decrypt incoming communications. So anyone can analyze a node and just pick out the private key, and then start issuing commands to it as though they were the operators. It just adds bulk to the botnet code, and doesn't prevent anyone from sink-holing it.
I think the real difficulty is simply containment. If the virus is designed to spread as rapidly as possible, then you need to spend a lot of time finding nodes and taking control of them to shut them down. I think the designers of ZueS are counting on that, and hope sheer numbers will be better than more precise control.
What if the commands need to be signed?
Insecure is relative. Computers and systems have the same problems as the security of a country. You are calling for a TSA like approach for software and systems. The only 100% secure device is one with no human interface device, no ports to allow new data (no net, USB, CD-rom, etc.) and maybe not even a power cord.
The most popular systems will have the most viruses written for them. Look at Windows. Now look at the reports of Apple OS viruses popping up as that system was becoming more popular. If everyone surged to Linux there would be a surge of viruses there too.
Then you get into the operators. Not everyone can be trained to be 100% knowledgeable in every up or downside on the net. The only system that would work is some type of licensing like with cars. Oh wait, we have idiots who talk, text, eat, put make up on, drive drunk, and all that already with that program.
Then you run the risk of having only official and approved operating systems. And FDA of sorts for computer systems...
*pauses* Are you trolling? I mean, you are effectively asking for a series of laws that would not just put us on the road to a "Right to Read" future, but hang up the street signs and lighting as well.
But knowing the infected machines was never the problem. Spamm e-mail brings with it the address... But you can't really go knocking down doors forcing people to scan their computers. That's why the black holes were designed, you wouldn't invade anyone's privacy but at the same time take them down.
Now, either the ISP's start disconnecting people that are infected, or you seem to stand no chance against it. But I believe new legislation will have to be drafted if we are to start disconnecting people off the internet for virus infections...
You're still thinking in terms of a C&C, when it doesn't apply anymore. Think of it more like a contagion, there's no "C&C" humans only people in contact with other people in contact with yet more people. There is no command to become a C&C. Commands are encrypted but also signed by the operators and nodes only have the public key to that so you can't fake one. They can just introduce a command anywhere, to any node and it'll relay it to its peers, that'll relay it to it's peers again amd so on until everyone got the command. You probably use a unique ID to avoid loops, like command 0xfe36735b I've already relayed, no need to relay it again.
Live today, because you never know what tomorrow brings
If I interpret your remarks correctly, you're suggesting I should unplug (or heavily firewall, even more so than the NAT I use today) my iMac because Apple no longer pushes security updates for it, or be or else be criminally liable.
Those laws are ideal, but would never be enforced anyways. What police officer wants to spend hours at a time checking the versions of each and every installed software application to verify that a machine is "secure"? And how many of the 245 million Internet users in the United States are going to constantly check the vulnerability disclosure lists to know when to uninstall/upgrade software to maintain compliance? I suppose it would mean a return to 1974's small ARPANET with a few thousand users across the nation.
I'm not sure about your comments re: keys.
It seems relatively easy to design a botnet to be peer to peer and yet not able to be taken over by a rogue node. Consider a P2P overlay network where each node plays "chineese whispers" and forwards any packet to all neighbours (with some TTL limit).
The botnet owner creates a public private keypair, and uses his private key to sign control messages. Each host takes each incoming packet and checks if it is signed by the botnet-owner, which requires the public key of the botnet owner, and is built into the code. If someone reverse engineers a node, all they have is the public key, so can't sign messages (since signing requires a private key).
An attacker could still DoS this network with unsigned Control messages, but that can easily be thwarted by:
a) never forward any unsigned message
b) forward signed messages only if it's version number is higher than the last forwarded message.
To hide himself and operate the network, the botnet owner can use TOR or some other anonymising service to connect randomly to any node in the network (rather like utorrent DHT does), and send a signed control message with a version number higher than any seen before by the network.
By the way, I think you were mixing up encryption with authentication. You are right that the control messages can't be encrypted, since they must be able to be decrypted by any node in the network, and hence security researchers have access to whatever key they are encrypted with, and can also decrypt them.
They can however be signed (authenticated) to prevent anyone but the real botnet owner from sending them.
(note, all of this is assuming assymetric (eg. RSA) cryptography - where one key is used for encryption, and another for decryption, or equally one key for signing, and another for validating)
There is no need for a private key for the signature nor the need for a signature authority. If I were to give you a public key and I sent you a signed message, you could verify the message came from me as long as my private key was hidden from a third party.
This setup still requries C&C software, but as long as the C&C software is not distributed, each node can not initiate a command, but can propogate an already signed one. There would need to be a program that can insert a new signed command, but that need not be on every node. It would be much like gnutella - maintain a list of nodes to connect to and if you get in, you isue your command - disconnect from the network and you can reconnect at will from another IP address.
When all else fails, try.
The article is not wrong. There is no need for a C&C server, which doesn't mean there aren't people with computers controlling it...
Exactly. They can put instructions out on the P2P network and it will just look like another infected machine "sharing" with it's brother bots.
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
This comes as a surprise to anyone? Really? I attended conferences almost 10 years ago listening to and giving speeches about stuff like this. The technology is trivial, the only reason the bad guys haven't moved to the hardened networks stuff yet is because there simply was no need.
If you want to know what's next, I can dig out my old slides. A guy from Britain and I came up with several highly resistant network designs. I think our final one would remain largely intact if you took out 90% of its nodes.
Like all things in fighting spam and large-scale scams, eliminating the C&C servers was one step that was useful for a short span in time. There are still old botnets out there that you can take out with this approach, but the more advanced ones have left that window of opportunity now.
As long as our politicians refuse to tackle the fundamental problem - that of tiny crimes in massive quantities - we're stuck. Our legal system still works by "cases", adapted to a physical world where the crime has an easily enumerated set of victims, each of which having suffered considerable damage. The legal and political systems still don't understand both the tiny and massive scales they need to deal with in a virtual world. Scam 10 people out of $1000 each and you'll get a court case and jail time. Scam 1,000,000 people out of a cent each and nobody in law enforcement will care, even though the damage to society is the same.
Assorted stuff I do sometimes: Lemuria.org
If they were smart, they would have used public key cryptography to ensure that only commands signed by the bot-net author will be accepted. Assuming the RSA key is strong enough, it would be impossible for anyone else to send commands short of an as-yet-unknown weakness in RSA or a bug in the bot-net code.
Popularity only means attractive target. Vulnerable is not related to popular except that it also makes the target more attractive.
The gold in Fort Knox is attractive. However, the security of Fort Knox is so unattractive that it offsets the attraction the gold has to would be thieves. The result? Crooks knock off small banks instead. The money is only attractive if it's reasonably easy enough to get.
Microsoft's market share on the desktop has not changed in a significant way. Yet, most agree that Windows has become more secure despite the fact that we've been told by idiots like you that it was impossible because of their market share lead.
Installing AV and security products doesn't effect OS market share either but most agree that it improves security. Again, market share is just a small part of of the equation.
Adobe's Flash and PDF viewer were very widely deployed and have never been secure, ever. They were largely ignored up until Microsoft started making their browser and OS more secure. At that point we saw malware shift to Adobe products. They didn't suddenly become more popular back at the end of 2009 when researchers projected Flash and Reader the new attack vector of choice. The MS vulnerability well was drying up. It wasn't a shift in market share. It was a shift in security. MS got some and Adobe didn't.
Considering the rapid growth of Chrome, why aren't security researchers saying it's the next big attack vector? It certainly has experienced a "surge" in popularity.
You don't need that if the bot simply broadcasts any control message it receives to a known port on any computers it can find (without caring whether they are infected or not or whether the message got through). If enough machines are infected (and if the bot-net masters send the new message to enough initial known-infected hosts) then the message will be disbursed widely enough that most of the infected hosts will pick it up.
That's not a serious answer. 'Faster than before' is meaningless in practical terms when the time to crack is going down from twenty times the life of the universe to five times.
There is no one node controlling the ensemble, yet they still need to coordinate their operations. The nodes must have perform a sort of hopping from one control-frequency (for lack of a better analogy) to another so they can't be followed
I don't know the meaning of the word 'don't' - J
So, would they be able to monitor the traffic and watch for new commands spreading and track the route those are coming from to find the computer that the new C&C stuff is flowing from? Seems like it would be hella difficult and time consuming, but possible.
What people like you do not seem to remember (or maybe you are too young?) is that before Windows had a TCP/IP stack, even before Trumpet Winsock, that Unix and VMS systems were notoriously exploited. Check the history of CERT advisory listings and its nothing but Unix and VMS systems being exploited until a phase change occurred when Windows PC's began to so overwhelmingly dominate the internet.
History proves it. Some of the folks here born before 1975 know this to be true, because we were the ones breaking into Unix and VMS systems because back then. The majority of the internet was Unix so that was what was targeted. Now the majority of the internet is Windows and that is again what is targeted.. and now the owners of these systems are far less sophisticated.
"His name was James Damore."
The answer is people need to be held accountable for their machines. The Internet is a public good just like roads. We don't let you operate an unsafe vehicle on our public roads, you can't operate an unsafe computer on our Internet.
If you machine is spamming or propagating malware yes your access should be terminated until you fix it. Just because someone else may have done the damage by infecting your box does not mean you are not still obligated to fix the problem, just like if someone smashes your head lights while you car is parked some place YOU still have to fix them.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
That's something the original article doesn't mention: Is the listening port on an infected computer static or not? If it's static, then a simple, and therefore quick, nmap scan of an IP space will reveal possible infected hosts on a network. You'd need to do further investigation to weed out the false positives, but it shouldn't be too hard to come up with a fingerprinting query to further narrow it down. Depended on how well it's set up, just looking for nginx Web servers may be enough to get a good idea of infected machines.
If it's random, then look for port scans coming from infected machines. Still would be some false positives, but you can narrow down the list fairly quickly.
If the listening port changes daily, hourly, etc. based on a formula, then you'll need to reverse the formula. And it would have to be based on a formula for the other nodes to find it without the noise of a port scan. But once you do reverse it, then you're effectively back to the static port scenario.
What are you blabbering about? Because VMS and traditional Unix could be broken into, we do not need better security today? What kind of broken reasoning is that? And what about all the advances in software engineering and also secure software engineering (mostly ignored in practice and academic curricula)? People will not start to do better until there is significant incentive to do so. Software can be written so that it is really hard to break into. It is just more expensive.
So, while you may consider yourself a hacker of the first hour (we had some of them in our CS course back then, all except one pathetic losers that could not hack the math and algorithm courses) don't you notice that these problems should have been fixed in the meantime?
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I get the p2p part, encryption & so on, but how does one peer find out where are the others?
"Blah blah blah." - [citation needed]
Never omit that salient point. It matters.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
indeed, but if someone could get the key they could sign a message saying "uninstall yourself".
The security of the system relies in the bot-maker never revealing his private key. HTTPS security relies on having secure private keys in the same way, and that works...
If the signatures need to be verified by a signature authority controlled by the attackers
Red Flag 1: You don't know how Public Key Cryptography works.
There is nothing magical about Certificate Authorities like Verisign. All they do is generate a random N-bit public/private key pair that meets certain mathematical rules (must be prime) then stick it inside a certificate (X.509 standard) then sign that certificate using the Verisign private key. How do people know what the Verisign public key is? The key is built-in to Windows, Firefox, Chrome, etc. All these programs have nothing more than a /* key bytes */ };
const unsigned char verisign_public_key[] = {
(Exact format differs, usually Verisign's self-signed X.509 will be stored in the out-of-the-box key store but there's nothing magical about that)
Otherwise, the commands must be self-signed, so an ordinary man-in-the-middle attack on any one the nodes could reveal the signature to you.
Red Flag 2: You don't know how cryptographically secure communication protocols work.
You've clearly picked up some vague knowledge about SSL/TLS and have bluntly assumed that every encrypted protocol works the same way. Hint: They don't. The command protocol in question is most likely going to function like (if not actually is) SSH, if you have the public key stored locally (See verisign key above) inside the botnet software and you have the private key on the C&C system so that it never touches the network then there is no MITM possibility. Hell, you don't even need to encrypt really, just signing is good enough.
MITMs exist because SSL sends the public key across the network from the server, if someone intercepts the key transfer then they can insert their own key instead. If the key isn't sent then it can't be intercepted (see laws of physics), there is nothing magical about it.
But I have never done anything like that before, it is probably much more difficult than I am making it sound.
As the other AC said, if you don't know anything about the relevant field then don't try to speak as though you have any sort of authority. Buy yourself a copy of Bruce Schneier's 'Applied Cryptography' before you try to do anything related to cryptography in future, it'll save you and your users from a world of hurt.