Botnets duck detection via P2P services, security firm says
Several of the Internet's most dangerous malware threats are now routinely using peer-to-peer (P2P) command and control in an effort to evade the detection and shutdown that has affected many conventional botnets, security firm Damballa said.
The P2P tactic has been around for several years but the company had noticed a fivefold increase in the number of malware samples using this behavior in the last year, specifically among dangerous threats such as ZeroAccess, Zeus v3, and the rapacious TDL4/TDSS rootkit.
The tactic is not without its drawbacks, mostly to do with the greater complexity required to build malware using a P2P Command & Control (C&C) channel and delays in getting instructions through to bots.
But the payoff is that it's is harder to disrupt a P2P-based C&C because it uses no fixed hierarchy of servers that can be blocked and broken, precisely the same principle that made the concept popular among file sharers.
This offers a degree of resilience against the increasing success security researchers have had in disrupting traditional botnets.
"Threat actors have taken note of the broader adoption of P2P, as well as P2P's lack of a centralized control infrastructure, which provides resilience to take down," said John Jerrim, Damballa's senior research director.
"P2P does limit the threat actor's ability to be agile because the distribution of commands to infections is not immediate. We are seeing more threat actors accept this tradeoff in order to gain access to systems that have other defense mechanisms in place."
Another bonus was that P2P could be used by botnet operators as a backup channel to "resurrect" malware disrupted through interception, he said.
"While many enterprises attempt to shut down P2P activity through the use of traditional and application firewalls, today's increasingly mobile workforce is ushering in an increase in P2P-based malware, which has the ability to leak data or conduct other nefarious behavior when devices are outside," Jerrim said.
Damballa offers a fix
The company's motivation for highlighting the P2P malware issue is that its Failsafe "communications profiling" appliance that had been upgraded to spot compromised computers using the technique to evade controls.
The P2P engineering behind ZeroAccess (infamous for clickfraud but also BitCoin mining) was noticed late last year by another firm, Kindsight, which estimated its network of "supernodes"—hijacked computers used as privileged controllers—to number as many as 200,000.
The Zeus (or ZeuS or Gameover) bank Trojan, meanwhile, acquired this capability in late 2011. An analysis first made public at the U.S. Black Hat security show by Dell SecureWorks estimated that the technique had been successful enough to recruit nearly 700,000 bots.