The novelties inside the last critical update for P2P Zeus

Which are the security improvements in the critical update proposed by criminal ecosystem for P2P Zeus Botnet? Fortinet experts detected and analyzed it.

Security experts at Fortinet have uncovered a critical update proposed by criminal ecosystem for P2P Zeus Botnet.

The first P2P Zeus variant was uncovered by Trusteer firm a couple of years ago, it was used in a series of attacks against principal internet service providers and targeting users of popular web services including Facebook, Hotmail,Yahoo and  Google Mail.

Zeus has evolved since the leak of its source code in the underground, security experts have discovered different versions, including 64bit instances and variant able to exploit Tor network to hide their C&C.

Zeus P2P, like others, is used mainly for banking fraud due its ability to steal banking credentials from victims, current variant supports both the UDP and TCP protocols.

“Currently, P2P Zeus supports both the UDP and TCP protocols for its various communication tasks including peer list exchange, command-and-control (C&C) server registration, and malware binary updates.” reports the official post.

Fortinet botnet monitoring system discovered that the malware author released a critical update to its P2P botnet. Since the experts started to monitor the Zeus P2P botnet traffic, they have observed that the version number reported in the encrypted update packets is passed from 0x38 (September 2013) to 0x3B (detected on April 8th 2014).

z1 z2

Every P2P Zeus code analyzes the version number from the update packet, and compares it with the one hardcoded in its code to evaluate the necessity to update itself.

The experts at Fortined analyzed the new Zeus P2P critical update noting a few minor changes apart the abilities of the new binary to drop a rootkit driver file into the %SYSTEM32%drivers folder.

The rootkit was used by malware author to hide the presence of the P2P Zeus and prevents the deletion of its binary and its autorun registry entries.

The discontinuation in the version number suggests to the expert that between the versions there were test versions occasionally appeared in the P2P network, “but they are not being pushed as an update to all peers“.

The new P2P Zeus is more resilient thanks the use of  the rootkit, let’s wait for further improvement, the Zeus factory never stops.

Pierluigi Paganini

(Editor-In-Chief, CDM)





FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2021

We are in our 9th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.