Latest news
The latest build of the Zeus/SpyEye malware shows a change that could very well hamper the security researchers' ability to take down the botnets using it and to find out the criminals behind them.According to Symantec researchers, a previous build already moved towards replacing the bot-to-C&C system with peer-to-peer capabilities so that the bots receive configuration files from other bots, and this new one has finalized the transition.
"This means that every peer in the botnet can act as a C&C server, while none of them really are one," say the researchers. "Bots are now capable of downloading commands, configuration files, and executables from other bots - every compromised computer is capable of providing data to the other bots. We don’t yet know how the stolen data is communicated back to the attackers, but it’s possible that such data is routed through the peers until it reaches a drop zone controlled by the attackers."
Apart from making such a botnet practically immune to a takedown, the move has also the added benefit of making the tracking and blocking of IP addresses of the C&C servers obsolete.
In order for the peers to act as a C&C server of sorts, the bot now includes nGinx, an open source Web server, which makes it capable of handling HTTP requests. And those requests are not longer used only for exchanging configuration files, but also to make bots download additional malware (fake AV) and software (proxy engine).
The compression and encryption techniques used for hiding the bots from AV solutions and researchers haven't changes much with the new strain, but the exchange of data between bots now mostly happens through UDP communication, while previously TCP was used.
The researchers say that the change has likely occurred due to the fact that TCP communications are easy to track and dump, and allow anyone to impersonate a bot and successfully communicate with other bots.
"Zeus’s main infection vector is emails containing malicious attachments, pretending to look like documents. As usual be wary of emails received from unknown recipients, and never to open files received from unknown sources," they warn.
Spotlight
17% of the world's PCs are unprotected
Posted on 30 May 2012. | In a study that analyzed data from voluntary scans from an average of 27-28 million computers per month, McAfee researchers found 17% of the world is browsing the internet completely unprotected.
What's new in ISO 22301
Posted on 29 May 2012. | Currently there are many business continuity frameworks and standards around the world, but none of them have really taken the dominant position.
Trojan spyware promoted as Steam keygen
Posted on 29 May 2012. | To users looking for keygens for their Steam games, read on: we found something that will make you think twice and probably leave you steering clear of key generators forever.
New cyber weapon targets systems in the Middle East
Posted on 28 May 2012. | A new sophisticated piece of malware dubbed "Flame" has been discovered in systems belonging to users in many Middle Eastern countries and is though to have been developed by a nation state.
RuFraud scammers caught and fined
Posted on 28 May 2012. | PhonepayPlus managed to cut off a malware attack that took the form of premium SMS fraudulent apps masquerading as popular apps offered on Google Play and other online stores.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
 |
