Update could make it more difficult to take down fraud operations, researcher says

Tim Wilson, Editor in Chief, Dark Reading, Contributor

October 13, 2011

2 Min Read

The popular Zeus malware has been enhanced with a peer-to-peer technology that allows it to receive orders without going through a central command-and-control (C&C) server -- an enhancement that could make it harder to track and take down, researchers say.

According to news reports, the new version of the Murofet ZeuS variant could make it harder for researchers and law enforcement to disrupt botnets by finding and disrupting their C&C servers.

"As with any set of tools, many different things can be built or modified -- and so it goes with the latest variant of Zeus to make the rounds," says Andy Hayter, anti-malcode program manager at ICSA Labs, which tests security products. "Going from random creation of domain names, this new variant uses hard-coded IP addresses to help spread, update, and infect additional computers."

The new Zeus malware is designed to attack online banking customers with the intent of stealing their data, experts said. With the growing popularity of mobile banking applications, portable devices could be a key target.

"Zeus is the flagship of mobile malware," says Tom Kellermann, CTO at mobile security vendor AirPatrol. "Zeus is ushering in the era of mobile attacks because of the mobile banking phenomenon. This should serve as a cautionary tale to the financial sector. The bank robbers of 2011 have commandeered your armored truck."

Since it now uses P2P, Murofet no longer uses a static URL to download binary updates and configuration files, researchers and news reports say. But it still uses a central domain, so while the new version might be harder to track, it's not unbeatable, they say.

"P2P functionality makes [the new variant] much more resilient to takedown efforts and gives its controllers flexibility in how they run their fraud operations," says Swiss researcher Roman Hussy, in his blog.

Hussy, who has created services that track Zeus and SpyEye, says it's unlikely that the new variant will become a popular item for sale on the black market.

"So are we talking about a new Zeus version, which we will see being sold in the underground soon? I don’t think so," Hussy's blog says. "This seems to be just another custom build. But there is one thing that makes this custom build unique: This build is much more sophisticated than all other Zeus builds I’ve seen before."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading


Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights