Slashdot Mirror

← Back to Stories (view on slashdot.org)

New ZeuS Botnet No Longer Needs Central Command Servers

Posted by timothy on from the andromeda-strain dept.

c0mpliant writes "Researchers at Symantec have identified a new variant of the ZeuS botnet which no longer requires a Command and Control server. The new variant uses a P2P system, which means that each bot acts like a C&C server, but none of them really are. The effect of which is that takedowns of such a network will be extremely difficult because there is no one central source to attack."

3 of 137 comments (clear)

  1. Re:They still need a C&C by neokushan · · Score: 5, Informative

    If my understanding is correct, the entire Zeus network now communicates amongst itself. There's no intermediate sites, IRC channels, twitter accounts, etc.
    This also means that any infected machine can act as the C&C. If that machine gets taken down, all the zeus authors need to do is use another node and keep going. It'll be extremely difficult to trace where the commands are genuinely coming from unless they happen to have access to the C&C server that originally sent the command, then hope that some sort of trail has been left - not an easy task, really

    --
    +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
  2. Re:They still need a C&C by Kjella · · Score: 5, Insightful

    You're still thinking in terms of a C&C, when it doesn't apply anymore. Think of it more like a contagion, there's no "C&C" humans only people in contact with other people in contact with yet more people. There is no command to become a C&C. Commands are encrypted but also signed by the operators and nodes only have the public key to that so you can't fake one. They can just introduce a command anywhere, to any node and it'll relay it to its peers, that'll relay it to it's peers again amd so on until everyone got the command. You probably use a unique ID to avoid loops, like command 0xfe36735b I've already relayed, no need to relay it again.

    --
    Live today, because you never know what tomorrow brings
  3. Re:They still need a C&C by irtza · · Score: 5, Insightful

    There is no need for a private key for the signature nor the need for a signature authority. If I were to give you a public key and I sent you a signed message, you could verify the message came from me as long as my private key was hidden from a third party.

    This setup still requries C&C software, but as long as the C&C software is not distributed, each node can not initiate a command, but can propogate an already signed one. There would need to be a program that can insert a new signed command, but that need not be on every node. It would be much like gnutella - maintain a list of nodes to connect to and if you get in, you isue your command - disconnect from the network and you can reconnect at will from another IP address.

    --
    When all else fails, try.