While early botnets eschewed peer-to-peer communications because the relatively noisy protocol is easier to detect, today’s networks of compromised systems increasingly use the communication technique to harden bot operators’ command-and-control infrastructure against defenders’ takedown efforts, according to researchers from security firm Damballa.
In a brief analysis published last week, Damballa researchers found that the number of malware variants that use peer-to-peer have increased five-fold in the past 12 months. Among the adopters of peer-to-peer networking are major botnets, such as ZeroAccess, Zeus Gameover, and TDL4/TDSS, the analysis stated.
“From a threat actor’s perspective, if the defenders take down an infected device, they have others, so they are not out of business,” Stephen Newman, vice president of products for Damballa, told eWEEK. “But if they are relying on a single command-and-control server, one takedown can destroy the botnet.”
Peer-to-peer networking—popularly associated with file sharing technologies such as BitTorrent—allows network nodes to communicate by sending data to a list of known peers. Those peers—other infected systems, in the case of botnets—will then send the information to other compromised computers, until the message reaches the controller’s system. Since there is no central server that directly controls every node, a peer-to-peer network is resilient to being attacked.
“For attackers who don’t need immediacy or control, peer-to-peer is a great technology for them to use,” Newman said.
The ZeroAccess botnet, which uses its network of more than 2 million systems to carry out click-fraud and crunch the calculations needed for mining bitcoins, communicates using a peer-to-peer protocol as its primary method of sending data. Because ZeroAccess does not need to have instantaneous feedback on each node’s operation, peer-to-peer communications is a good fit, Newman said.
A variant of the popular bank-account-stealing Trojan Zeus, known as Gameover, also uses a peer-to-peer protocol as a primary method of communication. If an infected system fails to connect to its peers—in many cases a sign that a corporate network is blocking peer-to-peer communications—then Gameover switches to an alternate communications method known as a domain-generation algorithm, or DGA.
Each node of the botnet will use the DGA—which create a list of seemingly random, but actually predictable, domain names—to create hard-to-guess domain names and attempt to communicate with a server at that destination. The attacker, who knows the pattern with which domains are generated, will have registered one of the thousands, or millions, of domain names, and thus re-establish communications.
A third successful botnet, known as TDL4/TDSS, also uses peer-to-peer communications and domain generation algorithms to connect with the bot operator.
Because infected systems, especially laptops, travel outside company-owned networks, security managers can no longer just block peer-to-peer communications and expect to be safe, Newman said.
“Organizations are so mobile today that, when the devices leave, they can connect to the attackers who can download new elements and new features to repurpose the system,” he said.
Instead, companies need to have the ability to detect such systems in their network, shut them down and, if they have the capability, conduct an investigation, he said.