2

I read on http://www.abuse.ch/?p=3499 that: ZeuS is now using an “IP list” which contains the IP addresses of other drones participating in the P2P botnet. An initial list of IP addresses is hardcoded in the ZeuS binary. From what I understand, the bots use a hardcoded ip list to communicate with each other. what I don't understand is, how can bots behind a NAT network communicate with each other when the IP addresses behind a NAT network are invalid?

user43493
  • 21
  • 2

3 Answers3

3

You could read something like Infosec Institute's Botnets Unearthed – The ZEUS BOT, but it boils down to:

It's not a peer to peer setup, it's a client/server setup. Malware clients try to contact command and control servers which are not behind firewalls that prevent access.

You see a list of command and control nodes (or, better, make sure your own firewall is blocking all of them) at the ZeuS Tracker, which is the source of the I-Blocklist ZeuS blocklist (and many others).

Anti-weakpasswords
  • 9,785
  • 2
  • 23
  • 51
1

There are a couple of ways. First, there are plenty of computers that are not behind NATing firewalls - the owners might be relying on Windows Firewall, or on nothing at all. Someone with a cable modem and PC with no router is wide open.

Or a stateful firewall could be returning UDP packets to the originating machine.

John Deters
  • 33,650
  • 3
  • 57
  • 110
1

Connecting in spite of NATs is called NAT Traversal. From the Wikipedia page:

Many techniques exist, but no single method works in every situation since NAT behavior is not standardized. Many NAT traversal techniques require assistance from a server at a publicly routable IP address.

Hence, the hardcoded IPs.

NAT Traversal is a minefield and not something I'm qualified to explain. However, the Wikipedia page does contain a handy list of techniques. Of particular interest is Hole Punching which, if successful, does not require a server at all.