Which are the security improvements in the critical update proposed by criminal ecosystem for P2P Zeus Botnet? Fortinet experts detected and analyzed it.

Security experts at Fortinet have uncovered a critical update proposed by criminal ecosystem for P2P Zeus Botnet.

The first P2P Zeus variant was uncovered by Trusteer firm a couple of years ago, it was used in a series of attacks against principal internet service providers and targeting users of popular web services including Facebook, Hotmail,Yahoo and  Google Mail.

Zeus has evolved since the leak of its source code in the underground, security experts have discovered different versions, including 64bit instances and variant able to exploit Tor network to hide their C&C.

Zeus P2P, like others, is used mainly for banking fraud due its ability to steal banking credentials from victims, current variant supports both the UDP and TCP protocols.

“Currently, P2P Zeus supports both the UDP and TCP protocols for its various communication tasks including peer list exchange, command-and-control (C&C) server registration, and malware binary updates.” reports the official post.

Fortinet botnet monitoring system discovered that the malware author released a critical update to its P2P botnet. Since the experts started to monitor the Zeus P2P botnet traffic, they have observed that the version number reported in the encrypted update packets is passed from 0x38 (September 2013) to 0x3B (detected on April 8th 2014).

z1 z2

Every P2P Zeus code analyzes the version number from the update packet, and compares it with the one hardcoded in its code to evaluate the necessity to update itself.

The experts at Fortined analyzed the new Zeus P2P critical update noting a few minor changes apart the abilities of the new binary to drop a rootkit driver file into the %SYSTEM32%drivers folder.

The rootkit was used by malware author to hide the presence of the P2P Zeus and prevents the deletion of its binary and its autorun registry entries.

The discontinuation in the version number suggests to the expert that between the versions there were test versions occasionally appeared in the P2P network, “but they are not being pushed as an update to all peers“.

The new P2P Zeus is more resilient thanks the use of  the rootkit, let’s wait for further improvement, the Zeus factory never stops.

Pierluigi Paganini

(Editor-In-Chief, CDM)

rsa-logo