The P2P network architecture enables the botnet to stay alive and gather information, even if portions of the network are shut down, observed Andrea Lelli in a Symantec blog.
The new Zeus/Spye variant appears to have discarded the C&C server and to use a P2P network architecture exclusively.
“This means that every peer in the botnet can act as a C&C server, while none of them really are one. Bots are now capable of downloading commands, configuration files, and executables from other bots – every compromised computer is capable of providing data to the other bots”, Lelli wrote.
“We don’t yet know how the stolen data is communicated back to the attackers, but it’s possible that such data is routed through the peers until it reaches a drop zone controlled by the attackers”, she added.
Law enforcement has been able to take down botnets in the past by shutting down the C&C servers. However, with a P2P network architecture, a botnet can avoid this single point of vulnerability.
“If they managed to completely remove C&C servers then this can be considered a step towards strengthening the botnet. If it only operates through P2P, it becomes nearly impossible to track the guys behind it. Again, analysis is still ongoing, so we are working on uncovering this part of the mystery to figure out the full picture”, Lelli concluded.