Most Zeus trojan infections use HTTP for communication. There are however versions of Zeus that use P2P technology, but they are the exception. Once a computer is infected, Zeus must connect to the command and control (CnC) server for settings and instructions. The usual way of doing this is to use a HTTP POST.
When Zeus uses HTTP, it leaves the referer field in the HTTP header empty. Note the “-” which is the referer field.
POST hxxp://studioustwnfor.su/dpl/nbsdus.php HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; .NET4.0C; .NET4.0E)"
The interesting thing about these malicious POST’s are that they look nothing like normal legitimate traffic. If someone was to login to a website with HTTP, such as a blog login page, the POST response has a referer field in the header. Another important thing to remember is that normally logging into a web service will only take one or two POST responses. A typical Zeus CnC communcation will be every 5 minutes at slow times and anything up to 10 every second at peak times. These two attributes together make detecting this type of communication possible.
Detecting such an anomaly is not as easy as you would think however. There are many possiblities for false positives. Online radio, SOAP, SAP, and antivirus vendors communcations are just some exceptions that need to accounted for, but it is possible after some training of the detection engines.
Detection of these malicious POST’s will also show communication for malware other than Zeus. Other malware using HTTP to communicate also don’t add a referer. For example, a fast(ish) flux dropper was changing the domain it sent data to regularly, to avoid detection but was caught because it didn’t have a referer:
"POST hxxp://188.8.131.52/insight/flourence?banner_id= 386514&yjuov=ZJRWYZFTYdsvwIwawGTZRgau0atHx3OB HTTP/1.1" - - "-" "POST hxxp://for.quickbarber.co.uk/booking/read?page= 120&yjuov=ZJRWYZFTYdsvwIwawGTZRgau0atHx3OB HTTP/1.1" - - "-"
P.S. If you’re a malware developer, please disregard this blog post! We like detecting malicious communication, the way things are…