Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

New Version Of Zeus Leverages Peer-To-Peer Technology

Update could make it more difficult to take down fraud operations, researcher says

The popular Zeus malware has been enhanced with a peer-to-peer technology that allows it to receive orders without going through a central command-and-control (C&C) server -- an enhancement that could make it harder to track and take down, researchers say.

According to news reports, the new version of the Murofet ZeuS variant could make it harder for researchers and law enforcement to disrupt botnets by finding and disrupting their C&C servers.

"As with any set of tools, many different things can be built or modified -- and so it goes with the latest variant of Zeus to make the rounds," says Andy Hayter, anti-malcode program manager at ICSA Labs, which tests security products. "Going from random creation of domain names, this new variant uses hard-coded IP addresses to help spread, update, and infect additional computers."

The new Zeus malware is designed to attack online banking customers with the intent of stealing their data, experts said. With the growing popularity of mobile banking applications, portable devices could be a key target.

"Zeus is the flagship of mobile malware," says Tom Kellermann, CTO at mobile security vendor AirPatrol. "Zeus is ushering in the era of mobile attacks because of the mobile banking phenomenon. This should serve as a cautionary tale to the financial sector. The bank robbers of 2011 have commandeered your armored truck."

Since it now uses P2P, Murofet no longer uses a static URL to download binary updates and configuration files, researchers and news reports say. But it still uses a central domain, so while the new version might be harder to track, it's not unbeatable, they say.

"P2P functionality makes [the new variant] much more resilient to takedown efforts and gives its controllers flexibility in how they run their fraud operations," says Swiss researcher Roman Hussy, in his blog.

Hussy, who has created services that track Zeus and SpyEye, says it's unlikely that the new variant will become a popular item for sale on the black market.

"So are we talking about a new Zeus version, which we will see being sold in the underground soon? I don’t think so," Hussy's blog says. "This seems to be just another custom build. But there is one thing that makes this custom build unique: This build is much more sophisticated than all other Zeus builds I’ve seen before."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2002-0639. Reason: This candidate is a reservation duplicate of CVE-2002-0639. Notes: All CVE users should reference CVE-2002-0639 instead of this candidate. All references and descriptions in this candidate have been removed to prevent ...
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address allows attackers in the local network to access multiple quagga VTYs. Attackers can...
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.