This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

It's Raining Zbot! New Variant Turns to Cloud for Strength

RSAAdmin
Beginner
Beginner
‎2013-07-15 03:42 PM

RSA FirstWatch has detected a new Zbot variant that utilizes multiple cloud services providers to strengthen their command and control ability.  While malware in the cloud has been discussed and observed for years, what makes this variant of Zbot different is that it doesn't behave like most variants detected over the past 6 months.

           

For the past six months and more, Zbot has been using UDP packets for command and control.  Typically there are anywhere from 5 to 15 command and control servers, each listening on a separate UDP port.  Many of these servers are home computers. If one or more of these hosts gets taken offline the botnet will still be able to send and receive commands since the other hosts provide a layer of resiliency. It’s a safety in numbers game.

This latest Zbot variant uses a single UDP port of 80 to 5 servers, each of which is hosted in a high-availability cloud.  Instead of needing a dozen unreliable systems spread around the world, it only needs 4 or 5 that are high-speed and guaranteed by the hosting service to be up and active.

How did RSA FirstWatch detect it?

We eliminated all of our known intelligence, or app rules we have created to identify things that we already know about.  What was left was a recognizable pattern of filename requests that seemed highly suspicious.

pattern of requests.JPG.jpg

Digging into these meta elements revealed several destination servers that were each receiving requests for these filenames, all of which returned an error for a bad request.

 

badrequest.JPG.jpg

In addition to the normal HTTP requests were quite a few UDP connections on port 80 which contained command and control strings.

 

udppayload.JPG.jpg

Our Reporter Engine has a daily report that looks for unexplained UDP connections.  We use it to identify new Zbot variants.

 

cloudreport.JPG.jpg

 

When we searched VirusTotal to see if they had knowlege of these IP addresses, they turned up in a report here, identifying the activity as Tepfir/Kazy/Zbot.

 

The oddest thing about this activity is that it has a layer of "plausible deniability" about it.  There are hundreds of HTTP get requests, and each of them returned "400 Bad Request" HTTP errors.  And UDP transmissions are a one-way stream.  There is no way to know by just looking at the packets if those hosts were actually listening on port 80 UDP.

 

If you subscribe to RSA Live feeds from FirstWatch, you have already installed detection capabilities for these command and control servers.

Happy Hunting!

© 2022 RSA Security LLC or its affiliates. All rights reserved.