14 DAY TRIAL // Malware developers are constantly improving their creations. The developers of the notorious ZeroAccess Trojan make no exception.
In late June, Symantec researchers spotted some significant changes to the ZeroAccess peer-to-peer communication protocol, making the threat more resilient and robust against outside manipulation.
Since the second quarter of 2012, ZeroAccess has been utilizing the User Datagram Protocol (UDP). The malware has a UDP-based network that operates on ports 16464 and 16465, and one that uses ports 16470 and 16471.
Usually, both networks are updated at around the same time. However, this time, only the peer-to-peer network that operates on ports 16464 and 16465 has been improved.
In the new version, the secondary internal peer list is stored as a Windows NTFS alternate data stream and it can hold over 16 million peer IP addresses. This is a major improvement considering that the old list only held up to 256 IP addresses.
In addition, the number of supported peer-to-peer protocol messages has been decreased to two. Initially, there were three.
Error checks and timeouts have been added to the malicious file download TCP connections, and the logic of how each peer contacts other peers has been changed.
“Most of the code changes made by the ZeroAccess authors in this update seem to be in response to published research on ZeroAccess or other perceived weaknesses the authors found in the code,” Symantec researchers explained.
“These changes are also further evidence that ZeroAccess continues to be actively developed and remains a threat. Symantec expects development of ZeroAccess to continue and will actively monitor the threat for those changes.”
Other malware developers are also making changes to their creations. Experts have noticed that the peer-to-peer version of ZeuS now uses a new UDP port range. The modifications are said to come in response to a research paper published by CERT Poland.
Additional technical details regarding the ZeroAccess improvements are available on Symantec’s blog.