Three major botnets are among those that have adopted the use of peer-to-peer communications to hamper takedown efforts.
While early botnets eschewed peer-to-peer communications because the relatively noisy protocol is easier to detect, today's networks of compromised systems increasingly use the communication technique to harden bot operators' command-and-control infrastructure against defenders' takedown efforts, according to researchers from security firm Damballa.
In a brief analysis published last week, Damballa researchers found that the number of malware variants that use peer-to-peer have increased five-fold in the past 12 months. Among the adopters of peer-to-peer networking are major botnets, such as ZeroAccess, Zeus Gameover, and TDL4/TDSS, the analysis stated.
"From a threat actor's perspective, if the defenders take down an infected device, they have others, so they are not out of business," Stephen Newman, vice president of products for Damballa, told eWEEK. "But if they are relying on a single command-and-control server, one takedown can destroy the botnet."
Peer-to-peer networking—popularly associated with file sharing technologies such as BitTorrent—allows network nodes to communicate by sending data to a list of known peers. Those peers—other infected systems, in the case of botnets—will then send the information to other compromised computers, until the message reaches the controller's system. Since there is no central server that directly controls every node, a peer-to-peer network is resilient to being attacked.
"For attackers who don't need immediacy or control, peer-to-peer is a great technology for them to use," Newman said.
The ZeroAccess botnet, which uses its network of more than 2 million systems to carry out click-fraud and crunch the calculations needed for mining bitcoins, communicates using a peer-to-peer protocol as its primary method of sending data. Because ZeroAccess does not need to have instantaneous feedback on each node’s operation, peer-to-peer communications is a good fit, Newman said.
A variant of the popular bank-account-stealing Trojan Zeus, known as Gameover, also uses a peer-to-peer protocol as a primary method of communication. If an infected system fails to connect to its peers—in many cases a sign that a corporate network is blocking peer-to-peer communications—then Gameover switches to an alternate communications method known as a domain-generation algorithm, or DGA.
Each node of the botnet will use the DGA—which create a list of seemingly random, but actually predictable, domain names—to create hard-to-guess domain names and attempt to communicate with a server at that destination. The attacker, who knows the pattern with which domains are generated, will have registered one of the thousands, or millions, of domain names, and thus re-establish communications.
A third successful botnet, known as TDL4/TDSS, also uses peer-to-peer communications and domain generation algorithms to connect with the bot operator.
Because infected systems, especially laptops, travel outside company-owned networks, security managers can no longer just block peer-to-peer communications and expect to be safe, Newman said.
"Organizations are so mobile today that, when the devices leave, they can connect to the attackers who can download new elements and new features to repurpose the system," he said.
Instead, companies need to have the ability to detect such systems in their network, shut them down and, if they have the capability, conduct an investigation, he said.
1 Comments
for "Botnets Increase Use of Peer-to-Peer by Fivefold to Hamper Takedowns"
Since Google has not seen fit to even answer any of the cnmmeots here for the last 6+ months, it is probably useless to post anything at all here. But being optimistic, I will try.This "Sorry you're a bot" thing is pretty stale by now. I understand that many less savy users have been wasting lots of hours scanning their machines. My machines are clean. i do relatively infrequent search requests. but last February and again today, I am being declared a bot for no good reason. The explanation provided both here and on the "Sorry your a bot" page is at best inadequate and certainly misleading. For Google to do security by obscurity, is wasting legitimate user's time in the hopes of "catching" a bot???Given the periodicity of these posts and that of my getting mis-identified as a bot, it appears that Google changes their tactics on occasion. I really suspect that Google has perhaps something else in mind with all of this. And that is is definitely related to information gathering. Certainly the session cookies enable individual tracking until they are removed, as they do not disappear by them selves.Very disappointed & concerned.
Email
Print
1 Comments for "Botnets Increase Use of Peer-to-Peer by Fivefold to Hamper Takedowns"