I want to know how do malware like ZeroAccess hole punch the network without using a external server?
Or do they just mainly infect non-NAT users? Does that mean all NAT users are safe?
Asked
Active
Viewed 673 times
2 Answers
2
I want to know how do malwares like ZeroAccess hole punch the network without using a external server?
ZeroAccess uses a P2P structure with no single central server. While most of the nodes can be behind a NAT some super nodes need to be not behind a NAT so that they can be reached from the other nodes (behind NAT) and relay communications. That means the nodes behind NAT simply open a connection from inside to any of the external super nodes and using this connection data can be sent back to the node. This is the usual way of how P2P networks work and not specific to ZeroAccess.
This paper from Sophos describes ZeroAccess and their communication model in more detail.
Steffen Ullrich
- 184,332
- 29
- 363
- 424
1
You can look first at what STUN is. Afterwards, you can use a library and try it out.
From the rfc:
Applicability Statement
This protocol is not a cure-all for the problems associated with NAT. It does not enable incoming TCP connections through NAT. It allows incoming UDP packets through NAT, but only through a subset of existing NAT types. In particular, STUN does not enable incoming UDP packets through symmetric NATs (defined below), which are common in large enterprises. STUN's discovery procedures are based on assumptions on NAT treatment of UDP; such assumptions may prove invalid down the road as new NAT devices are deployed. STUN does not work when it is used to obtain an address to communicate with a peer which happens to be behind the same NAT. STUN does not work when the STUN server is not in a common shared address realm. For a more complete discussion of the limitations of STUN, see Section 14.
Sebi
- 1,391
- 9
- 16