According to Symantec advisory Zeus botnet has leveraged P2P communication system. This new variant of transmitting data is used to keep the botnet alive and gathering information only.
Since the last update each peer can act as a C&C server, while none of them really are one. Bots now download config files, commands and binaries from other infected systems from each other. Symantec experts do not know yet how stolen data is sent back to the crooks. It is possible that the information is rooted through the peers until it reaches a drop zone controlled by the attackers.
“Having to rely on a C&C server is a limitation. It means that it can be taken offline, and that the botnet herders can be tracked. This was still a flaw in the initial P2P version of the bot—by simply black boxing the bot executable, one could observe the C&C server being contacted. It seems that the botnet herders have addressed this issue—the control messages that were going to the C&C server are now going to the P2P botnet itself. Of course the peers are other compromised computers, so they cannot be taken offline. Nor they can be related (in most cases) to the guys behind the botnet”.
The control massages that in previous Zeusbot modification were handled by the C&C are now handled by peers in the botnet. The massages are sent and received through HTTP which is why the bots were enforced with nGinx, an open source minimal Web server. Therefore each bot in the network is a minimal Web-server, capable of handling HTTP requests and performing C&C functionalities.
Symantec advisory about the Zeus botnet P2P update can be viewed here.
