Announced by its developer, an individual that goes by the handle "TheGrimReap3r", this decentralized "Thor" botnet will supposedly work on Win 2000+, Win XP SP0/SP1/SP2/SP3, Win Vista SP0/SP1/SP2, Win 7 SP0/SP1 and will support x86 and x64 systems.
The buyers will also have to pay extra if they want to receive additional modules such as a form grabber, keylogger/password stealer, mass mailer, advanced bootkiller and a DDoS module. They will also be able to write their own modules.
Even though this isn't the first botnet to use P2P communication to stay afloat and under the control of its rightful botmasters, the increased amount of takedowns recently performed by security companies and law enforcement agencies has obviously made botnet developers consider creating one that relies exclusively on that type of communication.
The decentralized architecture does, indeed, keep a botnet from being taken down easily, as there are no C&C servers that can be taken over. As the botmasters can inject new commands into a different bot every time, the likelihood of law enforcement tracking them down also decreases.
But there are other dangers the botmasters face. The botnet can be taken over by other criminals or law enforcement by connecting a rogue node to the botnet and using it to "inform" the other nodes of the change of ownership.
In order to prevent that from happening, the developer has mandated that the P2P communication between bots will always be encrypted with 256-AES encryption with random key generation at each startup.
The botnet will also supposedly use DLL injection, IAT hooking and a ring3 rootkit to keep its bots under the radar of AV solutions installed on the targeted and enslaved computers.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.