Things are starting to get a little tougher in the botnet world. This year we have witnessed many shutdowns of major botnets and their owners arrested. We have also seen money mules arrested and - more importantly - arrests for the creators of the Trojan creation kits (Mariposa Butterfly toolkit). Clearly everybody in the botnet food chain is beginning to feel pressure these days and as in any business, tough times often trigger the consolidation of operators in the competitive landscape. According to an interesting report by Brian Krebs a couple of days ago, he noted that the Zeus (Zbot) toolkit creator has left (or perhaps sold) his business and the creators of the SpyEye toolkit have now taken over the support and development of the Zeus toolkit. This is an interesting development from a number of angles.
Firstly, there has always been a bit of a rivalry between the two botkit developers. From its early days, SpyEye contained functionality that was designed to detect and kill the Zeus Trojan, if it happens to compromise a computer that already has Zeus running on it. Clearly this functionality was added in recognition of Zeus being a widespread problem, likely to be encountered on computers also compromised by SpyEye. So for the SpyEye Trojan to make the best use of the captured computer, its best move is to make sure that any Zeus Trojans are killed off first. Subsequent investigations back in April of this year found that the “SpyEye kill Zeus” feature can only deal with a small percentage of them. SpyEye talked a good fight but in reality failed to deliver the knockout blow. Given this undercurrent between the makers of Zeus and the makers of SpyEye, it’s all the more interesting that the creators of SpyEye now apparently own the Zeus kit.
Another recent development we have seen is the emergence of a new strain of the Zeus Trojan (Zbot.B). It was first identified at around the beginning of October 2010. The new Zeus Trojans have two major features not seen in older versions—a function to infect executable files and a domain-generation algorithm. The domain-generation algorithm built into each Trojan can generate 1020 unique domain names each day, and a large subset is randomly checked for commands or updates. This technique is a leaf taken out of the Downadup worm's book—Downadup generated up to 50000 domains each day, which made standard domain-blocking techniques all but impossible to use as a protection measure.
The new Zeus attempts to use the generated domains in two ways. It may try to contact the domains using a URL like these:
• http://[GENERATED DOMAIN]/forum
• http://[GENERATED DOMAIN]/news/?s=[DWORD]
The first URL is used by the infected files for downloading new executable files and the latter for configuration information.
Given these substantial new features in the new Zeus Trojans and the information from Brian Krebs, it would not be unreasonable to surmise that this may well be the first fruits of the new Zeus/SpyEye merger. After all, the SpyEye author did promise to bring the best of both Zeus and SpyEye—a rootkit has been promised and a "bunch of work on the way". Is this the end of the "kill Zeus" function in the new SpyEye (or is it Zeus) Trojans? Only time will tell. The new owner of the Zeus product will probably continue to reshape the new Zeus and, from a business point-of-view, there's probably not much harm in trying to literally kill off the older versions to encourage uptake of the new version.