P2P 'Gameover ZeuS' seen as largest bank-theft botnet

25.07.2012
LAS VEGAS -- It's the largest bank-theft botnet out there, and its peer-to-peer (P2P) design, credited to cybercrime gangs in Eastern Europe, is going to make it hugely difficult to take down, according to research put forward at the Black Hat Conference.

Dubbed Gameover ZeuS, this P2P botnet is "a private build" based on older ZeuS source code for committing , says Brett Stone-Gross, senior researcher at Dell SecureWorks, which today published a report analyzing the botnet first spotted in January. But instead of the typical ZeuS centralized command-and-control , "it turns into a P2P network," he says. A P2P botnet has a lot of defensive advantages in escaping shutdown by authorities, because "in P2P, there's no central point to go after."

IN THE NEWS:

Stone-Gross said Dell SecureWorks found out a lot about Gameover ZeuS by "crawling the peers," and found evidence of 678,000 infected PCs. "It's probably the largest banking Trojan today," he says. It's all run as a private operation, probably from Russia and Ukraine, and it doesn't appear that the P2P ZeuS code is being sold online as a kit to other cybercriminals.

The gang behind this P2P ZeuS botnet relies on the Cutwail spam botnet to "send massive amounts of email that impersonate well-known brand names including online retailers, cellular phone companies, social networking sites, and financial institutions," according to the SecureWorks report. There's typically what's called the "pony" loader involved that "attempts to download the P2P ZeuS binaries from three hardcoded compromised web servers," the report adds.

In some ways, the P2P version of the ZeuS Trojan is much like its predecessors, capturing information from a victim by means of keystroke logging, form grabbing and credential scraping. "Moreover, ZeuS provides the ability to modify the HTML of a target website, and/or inject additional form fields to dupe a victim into entering sensitive information, a process known as web injects." The P2P ZeuS supports both IPv4 and addresses.