We blogged about a parallel Zeusbot/Spyeye build near the end of last year that introduced some improvements in the botnet, moving the network architecture away from a simple bot-to-CC system and introducing the beginnings of a peer-to-peer model. This new variant new uses P2P communication exclusively in order to keep the botnet alive and gathering information.
Previously, every compromised computer was a peer in the botnet and the configuration file (containing the URL of the CC server) was distributed from one peer to another. This way, even if the CC server was taken down, the botnet was still able to contact other peers to receive configuration files with URLs of new CC servers.
With the latest update, it seems that the CC server has disappeared entirely for this functionality. Where they were previously sending and receiving control messages to and from the CC, these control messages are now handled by the P2P network.
This means that every peer in the botnet can act as a CC server, while none of them really are one. Bots are now capable of downloading commands, configuration files, and executables from other botsâ€”every compromised computer is capable of providing data to the other bots. We donâ€™t yet know how the stolen data is communicated back to the attackers, but itâ€™s possible that such data is routed through the peers until it reaches
Other links you may like: