Today another “Hack Note” on my blog to point you out to a great analysis of ZeuS evolutions. I definitely suggest the reading titled “ZeuS-P2P” by Cert Polska because, in my personal opinion, it describes one of the most important evolutions of a “bot kit” happened so far: the distribution of the Command aNd Control (CNC) module. As you might remember the CNC modules evolved from single access point (such as IRC, Twitter, FaceBook, and so on) to multiple access points (often by implementing a Domain Generation Algorithm, DGA), in where attackers had a bounch (~1000) of domains to generate and/or to compromise in order to spread commands to the infected hosts. The last ZeuS versions have been using a nice alternative: the P2P protocol. Specifically ZeuS bot-kit has been using a P2P protocol very close (in term of code) to Kademlia (xor map based). The following image taken from the aforementioned document written by Cert Polska, nicely illustrates the flow between the attacker and the attacked user.
The paper follows on describing interesting detatils about the new “ZeuS generation malware” including (decompiled) source code and highlighting interesting sections such as:PROXY_SERVER_HOST string replacement, DDoS module, HTTP DDoS variant module, DhTUdp DDos, Digital Signature verification (another great improvements respect to the “OLD versions”), and so on. Aditionally fully reversed-engineered P2P protocol can be found on a dedicated chapter. Have a nice reading !