Malware increasingly uses peer-to-peer communications, researchers say

The number of P-to-P malware samples surged during the past year, researchers from Damballa said

The number of malware samples that use P-to-P (peer-to-peer) communications has increased fivefold during the past 12 months, according to researchers from security firm Damballa.

The largest contributors to this increase are advanced threats like ZeroAccess, Zeus version 3 and TDL4, said Stephen Newman, vice president of products at Damballa. However, there are also other malware families that adopted P-to-P as a command-and-control (C&C) channel recently, he said.

"The use of P-to-P in advanced malware threats has been around for quite some time, but we've never really seen it take the hold that we've started to see now," Newman said. The reason why this is happening now has to do with cybercriminals' desire for resiliency in the face of takedown efforts that can disrupt centralized C&C infrastructures, he said.

Botnet masters stand to lose access to thousands or millions of infected computers if their control servers are shut down, so they're looking into decentralized P-to-P communications, where botnet clients can relay commands to one another, as a resilience technique along with other methods like the use of domain name generation algorithms (DGAs), he said.

Another benefit for attackers is that malicious P-to-P traffic is hard to detect and block at the network level by using traditional approaches that rely on lists of known IP addresses and hosts associated with C&C servers.

TDL4 is probably the most prevalent malware family that uses P-to-P communications, said John Jerrim, senior research scientist at Damballa. However, TDL4's P-to-P communication channel is only used as backup in case no C&C server can be reached by using a domain generation algorithm, he said.

TDL4 is best known for being highly persistent and hard to remove from computers because it infects the Master Boot Record (MBR), a special section of the hard drive that contains code executed during the boot process before the operating system starts. The threat is primarily used to distribute other malware as part of pay-per-install schemes and cybercriminal affiliate programs.

Zeus version 3, which is also known as GameOver, is a Trojan program that steals online banking credentials and other financial data. Unlike TDL4, Zeus v3 uses P-to-P as its primary C&C channel and falls back to using a DGA when the malware cannot reach any peer from the P-to-P network.

ZeroAccess is a particularly interesting threat because it only uses P-to-P communication for command-and-control purposes. The threat is distributed with the help of Web exploit toolkits like Blackhole, Neosploit and Sweet Orange, and is primarily used for click fraud and Bitcoin mining.

Damballa released a report about the use of P-to-P communications in ZeroAccess, Zeus v3 and TDL4 on Tuesday. The company also added the capability to detect this type of malicious traffic to its Failsafe network security appliance for enterprises.

Researchers from the Institute for Internet Security in Germany, VU University in Amsterdam and security providers Dell SecureWorks and Crowdstrike recently published a report on the resilience of peer-to-peer botnets.

"Our evaluation has shown weaknesses which could be used to disrupt the Kelihos and ZeroAccess botnets," they said in their report. "However, we have also shown that the Zeus and Sality botnets are highly resilient to sinkholing attacks, the currently most used class of disruptive attacks against P2P botnets."

The researchers concluded that finding alternative mitigation methods against P-to-P botnets is "urgently needed."

Tags CrowdStrikeDell SecureWorkssecurityDamballamalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?