Slashdot Mirror
New ZeuS Botnet No Longer Needs Central Command Servers
c0mpliant writes "Researchers at Symantec have identified a new variant of the ZeuS botnet which no longer requires a Command and Control server. The new variant uses a P2P system, which means that each bot acts like a C&C server, but none of them really are. The effect of which is that takedowns of such a network will be extremely difficult because there is no one central source to attack."
If my understanding is correct, the entire Zeus network now communicates amongst itself. There's no intermediate sites, IRC channels, twitter accounts, etc.
This also means that any infected machine can act as the C&C. If that machine gets taken down, all the zeus authors need to do is use another node and keep going. It'll be extremely difficult to trace where the commands are genuinely coming from unless they happen to have access to the C&C server that originally sent the command, then hope that some sort of trail has been left - not an easy task, really
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
I think it's worse than that. If it works with the scheme fasttrack (for example) uses, you'd need to get the people behind the computer to actually kill it. Even if they get the original machine, they can just switch places and keep going (since there is no single point of failure, from what I read).
But on the other hand, you still need to issue commands to the C&C. If you can figure out the communication protocol used to assign C&C powers to a node, then security researchers can easily toss-out the command to become a C&C to all nodes and then sink-hole it.
Further, I am not aware of any way to encrypt communications between the botnet's controllers and the botnet's nodes because every node will need to have the private key to decrypt incoming communications. So anyone can analyze a node and just pick out the private key, and then start issuing commands to it as though they were the operators. It just adds bulk to the botnet code, and doesn't prevent anyone from sink-holing it.
I think the real difficulty is simply containment. If the virus is designed to spread as rapidly as possible, then you need to spend a lot of time finding nodes and taking control of them to shut them down. I think the designers of ZueS are counting on that, and hope sheer numbers will be better than more precise control.
What if the commands need to be signed?
You're still thinking in terms of a C&C, when it doesn't apply anymore. Think of it more like a contagion, there's no "C&C" humans only people in contact with other people in contact with yet more people. There is no command to become a C&C. Commands are encrypted but also signed by the operators and nodes only have the public key to that so you can't fake one. They can just introduce a command anywhere, to any node and it'll relay it to its peers, that'll relay it to it's peers again amd so on until everyone got the command. You probably use a unique ID to avoid loops, like command 0xfe36735b I've already relayed, no need to relay it again.
Live today, because you never know what tomorrow brings
I'm not sure about your comments re: keys.
It seems relatively easy to design a botnet to be peer to peer and yet not able to be taken over by a rogue node. Consider a P2P overlay network where each node plays "chineese whispers" and forwards any packet to all neighbours (with some TTL limit).
The botnet owner creates a public private keypair, and uses his private key to sign control messages. Each host takes each incoming packet and checks if it is signed by the botnet-owner, which requires the public key of the botnet owner, and is built into the code. If someone reverse engineers a node, all they have is the public key, so can't sign messages (since signing requires a private key).
An attacker could still DoS this network with unsigned Control messages, but that can easily be thwarted by:
a) never forward any unsigned message
b) forward signed messages only if it's version number is higher than the last forwarded message.
To hide himself and operate the network, the botnet owner can use TOR or some other anonymising service to connect randomly to any node in the network (rather like utorrent DHT does), and send a signed control message with a version number higher than any seen before by the network.
There is no need for a private key for the signature nor the need for a signature authority. If I were to give you a public key and I sent you a signed message, you could verify the message came from me as long as my private key was hidden from a third party.
This setup still requries C&C software, but as long as the C&C software is not distributed, each node can not initiate a command, but can propogate an already signed one. There would need to be a program that can insert a new signed command, but that need not be on every node. It would be much like gnutella - maintain a list of nodes to connect to and if you get in, you isue your command - disconnect from the network and you can reconnect at will from another IP address.
When all else fails, try.
This comes as a surprise to anyone? Really? I attended conferences almost 10 years ago listening to and giving speeches about stuff like this. The technology is trivial, the only reason the bad guys haven't moved to the hardened networks stuff yet is because there simply was no need.
If you want to know what's next, I can dig out my old slides. A guy from Britain and I came up with several highly resistant network designs. I think our final one would remain largely intact if you took out 90% of its nodes.
Like all things in fighting spam and large-scale scams, eliminating the C&C servers was one step that was useful for a short span in time. There are still old botnets out there that you can take out with this approach, but the more advanced ones have left that window of opportunity now.
As long as our politicians refuse to tackle the fundamental problem - that of tiny crimes in massive quantities - we're stuck. Our legal system still works by "cases", adapted to a physical world where the crime has an easily enumerated set of victims, each of which having suffered considerable damage. The legal and political systems still don't understand both the tiny and massive scales they need to deal with in a virtual world. Scam 10 people out of $1000 each and you'll get a court case and jail time. Scam 1,000,000 people out of a cent each and nobody in law enforcement will care, even though the damage to society is the same.
Assorted stuff I do sometimes: Lemuria.org
Popularity only means attractive target. Vulnerable is not related to popular except that it also makes the target more attractive.
The gold in Fort Knox is attractive. However, the security of Fort Knox is so unattractive that it offsets the attraction the gold has to would be thieves. The result? Crooks knock off small banks instead. The money is only attractive if it's reasonably easy enough to get.
Microsoft's market share on the desktop has not changed in a significant way. Yet, most agree that Windows has become more secure despite the fact that we've been told by idiots like you that it was impossible because of their market share lead.
Installing AV and security products doesn't effect OS market share either but most agree that it improves security. Again, market share is just a small part of of the equation.
Adobe's Flash and PDF viewer were very widely deployed and have never been secure, ever. They were largely ignored up until Microsoft started making their browser and OS more secure. At that point we saw malware shift to Adobe products. They didn't suddenly become more popular back at the end of 2009 when researchers projected Flash and Reader the new attack vector of choice. The MS vulnerability well was drying up. It wasn't a shift in market share. It was a shift in security. MS got some and Adobe didn't.
Considering the rapid growth of Chrome, why aren't security researchers saying it's the next big attack vector? It certainly has experienced a "surge" in popularity.