An Analysis of the Zeus Peer-to-Peer Protocol

Zeus is a family of credential-stealing trojans which originally appeared in 2007. The first two variants of Zeus are based on centralized command servers. These command servers are now routinely tracked and blocked by the security community. In an apparent effort to withstand these routine countermeasures, the second version of Zeus was forked into a peer-to-peer variant in September 2011. This paper describes our insights into the topology and communication protocol of the peer-to-peer variant of Zeus.