RSA FirstWatch has detected a new Zbot variant that utilizes multiple cloud services providers to strengthen their command and control ability. While malware in the cloud has been discussed and observed for years, what makes this variant of Zbot different is that it doesn't behave like most variants detected over the past 6 months.
For the past six months and more, Zbot has been using UDP packets for command and control. Typically there are anywhere from 5 to 15 command and control servers, each listening on a separate UDP port. Many of these servers are home computers. If one or more of these hosts gets taken offline the botnet will still be able to send and receive commands since the other hosts provide a layer of resiliency. It’s a safety in numbers game.
This latest Zbot variant uses a single UDP port of 80 to 5 servers, each of which is hosted in a high-availability cloud. Instead of needing a dozen unreliable systems spread around the world, it only needs 4 or 5 that are high-speed and guaranteed by the hosting service to be up and active.
How did RSA FirstWatch detect it?
We eliminated all of our known intelligence, or app rules we have created to identify things that we already know about. What was left was a recognizable pattern of filename requests that seemed highly suspicious.
Digging into these meta elements revealed several destination servers that were each receiving requests for these filenames, all of which returned an error for a bad request.
In addition to the normal HTTP requests were quite a few UDP connections on port 80 which contained command and control strings.
Our Reporter Engine has a daily report that looks for unexplained UDP connections. We use it to identify new Zbot variants.
When we searched VirusTotal to see if they had knowlege of these IP addresses, they turned up in a report here, identifying the activity as Tepfir/Kazy/Zbot.
The oddest thing about this activity is that it has a layer of "plausible deniability" about it. There are hundreds of HTTP get requests, and each of them returned "400 Bad Request" HTTP errors. And UDP transmissions are a one-way stream. There is no way to know by just looking at the packets if those hosts were actually listening on port 80 UDP.
If you subscribe to RSA Live feeds from FirstWatch, you have already installed detection capabilities for these command and control servers.