Researchers at security firm Damballa have revealed a new twist in the ongoing industry battle against botnets.
It found that while early botnets eschewed peer-to-peer communications because the relatively noisy protocol is easier to detect, today’s networks of compromised systems increasingly use the communication technique to harden bot operators’ command-and-control infrastructure against defenders’ takedown efforts.
In a brief analysis published last week, Damballa researchers found that the number of malware variants that use peer-to-peer have increased five-fold in the past 12 months. Among the adopters of peer-to-peer networking are major botnets, such as ZeroAccess, Zeus Gameover, and TDL4/TDSS, the analysis stated.
Peer-to-peer networking – popularly associated with file sharing technologies such as BitTorrent – allows network nodes to communicate by sending data to a list of known peers. Those peers – other infected systems, in the case of botnets – will then send the information to other compromised computers, until the message reaches the controller’s system. Since there is no central server that directly controls every node, a peer-to-peer network is resilient to being attacked.
“For attackers who don’t need immediacy or control, peer-to-peer is a great technology for them to use,” Newman said.
The ZeroAccess botnet, which uses its network of more than 2 million systems to carry out click-fraud and crunch the calculations needed for mining bitcoins, communicates using a peer-to-peer protocol as its primary method of sending data. Because ZeroAccess does not need to have instantaneous feedback on each node’s operation, peer-to-peer communications is a good fit, Newman said.
A variant of the popular bank-account-stealing Trojan Zeus, known as Gameover, also uses a peer-to-peer protocol as a primary method of communication. If an infected system fails to connect to its peers – in many cases a sign that a corporate network is blocking peer-to-peer communications – then Gameover switches to an alternate communications method known as a domain-generation algorithm, or DGA.
Each node of the botnet will use the DGA – which create a list of seemingly random, but actually predictable, domain names – to create hard-to-guess domain names and attempt to communicate with a server at that destination. The attacker, who knows the pattern with which domains are generated, will have registered one of the thousands, or millions, of domain names, and thus re-establish communications.
A third successful botnet, known as TDL4/TDSS, also uses peer-to-peer communications and domain generation algorithms to connect with the bot operator.
Because infected systems, especially laptops, travel outside company-owned networks, security managers can no longer just block peer-to-peer communications and expect to be safe, Newman said.
“Organisations are so mobile today that, when the devices leave, they can connect to the attackers who can download new elements and new features to repurpose the system,” he said.
Instead, companies need to have the ability to detect such systems in their network, shut them down and, if they have the capability, conduct an investigation, he said.
Are you a security pro? Try our quiz!
Originally published on eWeek.
European Commission says Microsoft's hiring of Inflection AI's staff will not be investigated under EU…
Alphabet urges Competition Appeal Tribunal to dismiss mass lawsuit seeking up to £7bn ($9.3bn) for…
The US will host the first meeting of the International Network of AI Safety Institutes,…
EU General Court upholds European Commission €242m antitrust fine against Qualcomm, after it allegedly forced…
Google wins court challenge. Europe's second highest court rules EC's €1.49bn antitrust fine should be…
Russian state media networks including RT, Rossiya Segodnya etc banned by Meta Platforms for “foreign…