RSA Admin

Zeus C&C Server Poses as Google to Evade Detection

Blog Post created by RSA Admin Employee on Apr 17, 2013

I found something pretty unusual in our sandbox today.  It appeared to be a dead ringer for Zeus-style C&C communications, but the webserver, hosted in Russia, was climing to be www.google.com.  This is what it looked like in Security Analytics:

 

57700

57701

57720

And when I drilled into it, this is the Zeus-style query and response:

57721

I looked up the IP address and it has been associated with malware in the past.  But this is the first instance I can recall of a host that is masquerading as someone else to avoid detection.  Remember, the alias.host meta key is only populated by what the destination server claims that it is.  SA does not do any independent DNS lookups on the IP destinations. 

 

The destination IP has been added to our RSA FirstWatch C2 IP feeds available for deployment via Live.

Outcomes