Share

Top 5 Stories

News

Zeusbot/Spyeye variant uses peer-to-peer network model

22 February 2012

A Zeusbot/Spyeye variant is using a peer-to-peer (P2P) network architecture, rather than a simple bot to command-and-control (C&C) server system, making the botnet much harder to take down.

The P2P network architecture enables the botnet to stay alive and gather information, even if portions of the network are shut down, observed Andrea Lelli in a Symantec blog.

The new Zeus/Spye variant appears to have discarded the C&C server and to use a P2P network architecture exclusively.

“This means that every peer in the botnet can act as a C&C server, while none of them really are one. Bots are now capable of downloading commands, configuration files, and executables from other bots – every compromised computer is capable of providing data to the other bots”, Lelli wrote.

“We don’t yet know how the stolen data is communicated back to the attackers, but it’s possible that such data is routed through the peers until it reaches a drop zone controlled by the attackers”, she added.

Law enforcement has been able to take down botnets in the past by shutting down the C&C servers. However, with a P2P network architecture, a botnet can avoid this single point of vulnerability.

“If they managed to completely remove C&C servers then this can be considered a step towards strengthening the botnet. If it only operates through P2P, it becomes nearly impossible to track the guys behind it. Again, analysis is still ongoing, so we are working on uncovering this part of the mystery to figure out the full picture”, Lelli concluded.

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×