Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

New Version Of Zeus Leverages Peer-To-Peer Technology

Update could make it more difficult to take down fraud operations, researcher says

The popular Zeus malware has been enhanced with a peer-to-peer technology that allows it to receive orders without going through a central command-and-control (C&C) server -- an enhancement that could make it harder to track and take down, researchers say.

According to news reports, the new version of the Murofet ZeuS variant could make it harder for researchers and law enforcement to disrupt botnets by finding and disrupting their C&C servers.

"As with any set of tools, many different things can be built or modified -- and so it goes with the latest variant of Zeus to make the rounds," says Andy Hayter, anti-malcode program manager at ICSA Labs, which tests security products. "Going from random creation of domain names, this new variant uses hard-coded IP addresses to help spread, update, and infect additional computers."

The new Zeus malware is designed to attack online banking customers with the intent of stealing their data, experts said. With the growing popularity of mobile banking applications, portable devices could be a key target.

"Zeus is the flagship of mobile malware," says Tom Kellermann, CTO at mobile security vendor AirPatrol. "Zeus is ushering in the era of mobile attacks because of the mobile banking phenomenon. This should serve as a cautionary tale to the financial sector. The bank robbers of 2011 have commandeered your armored truck."

Since it now uses P2P, Murofet no longer uses a static URL to download binary updates and configuration files, researchers and news reports say. But it still uses a central domain, so while the new version might be harder to track, it's not unbeatable, they say.

"P2P functionality makes [the new variant] much more resilient to takedown efforts and gives its controllers flexibility in how they run their fraud operations," says Swiss researcher Roman Hussy, in his blog.

Hussy, who has created services that track Zeus and SpyEye, says it's unlikely that the new variant will become a popular item for sale on the black market.

"So are we talking about a new Zeus version, which we will see being sold in the underground soon? I don’t think so," Hussy's blog says. "This seems to be just another custom build. But there is one thing that makes this custom build unique: This build is much more sophisticated than all other Zeus builds I’ve seen before."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-23691
PUBLISHED: 2021-05-14
YFCMF v2.3.1 has a Remote Command Execution (RCE) vulnerability in the index.php.
CVE-2020-18166
PUBLISHED: 2021-05-14
Unrestricted File Upload in LAOBANCMS v2.0 allows remote attackers to upload arbitrary files by attaching a file with a ".jpg.php" extension to the component "admin/wenjian.php?wj=../templets/pc".
CVE-2020-18167
PUBLISHED: 2021-05-14
Cross Site Scripting (XSS) in LAOBANCMS v2.0 allows remote attackers to execute arbitrary code by injecting commands into the "Homepage Introduction" field of component "admin/info.php?shuyu".
CVE-2020-23689
PUBLISHED: 2021-05-14
In YFCMF v2.3.1, there is a stored XSS vulnerability in the comments section of the news page.
CVE-2021-25941
PUBLISHED: 2021-05-14
Prototype pollution vulnerability in 'deep-override' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.