The resiliency of peer-to-peer botnets is too good to pass up for fraudsters and spam mavens tired of watching expensive and centralized command and control infrastructures be taken down by authorities and technology companies.
Botnets such as ZeroAccess, TDL4/TDSS and Zeus v3 have shown the way for peer-to-peer botnet builders, either as a primary means of communication between hackers and bots, or as a fallback in case centralized communication is disrupted or permanently terminated. Researchers at Damballa, in fact, are reporting a five-fold increase in the number malware samples spread via peer-to-peer during the past 12 months. ZeroAccess is likely the biggest offender, a potent malware family with rootkit capabilities that has been folded into a number of exploit kits, including Blackhole one of the most potent commercial kits available on the underground.
“It’s been put into some toolkits, so it’s spread out among different implementations,” said Damballa senior research scientist John Jerrim. “You don’t have to write your own [botnet]. It’s available to buy and use; it’s big business in terms of building botnets.”
Most botnets continue to be a primary means of spreading spam, but other capabilities have been folded in, including denial of service attacks, bank fraud, click-fraud campaigns and more. While centralized botnets are simple to disrupt once discovered and all the proper legal hoops have been negotiated, taking down a peer-to-peer botnet is a much more difficult proposition.
Bots in a P2P network communicate to each other; bots are seeded with a list of usually 256 compromised IP addresses that are trusted. Those IPs share instructions and know from where they can accept downloads of additional malware, for example. Infiltrating those bots and infecting a seed list so that they redirect to a sinkhole, for example, tramples on some touchy legal territory because the compromised machines are just that, often hacked home or business computers that are unwitting participants in the malicious activity.
Further compounding the complexity of a takedown is the fact that it’s nigh impossible to enumerate bots in a P2P network because they’re behind firewalls or proxies at times, or they’re cleaned up or shut down. All of this was spelled out in a recent research report published by researchers from the Institute for Internet Security in Germany, VU University of Amsterdam and American tech companies Dell SecureWorks and Crowdstrike. They looked at the shortcomings of some of the P2P botnet forefathers such as Storm and Waledac and applied that toward enumerating and disrupting current P2P botnet families. The team used crawling and sensor injection techniques to estimate the size of the P2P botnets they studied and counted upwards of a million infected systems on some such as ZeroAccess.
ZeroAccess and TDL4/TDSS spread rootkit malware that infects systems at the kernel level and are difficult to detect and clean. Both of these malware families have the potential to do much more than simple bank fraud or send spam. ZeroAccess can also pull off click-fraud schemes, obfuscate Web searchers or steal information, while Zeus v3 is primarily financial malware, but it too can be extended to conducted DDoS attacks, steal data or download additional malware.
“They can download additional threats and spread things that can vary from rogue AV to the Poison Ivy RAT,” Jerrim said. “Once there’s an infection inside an organization, the attackers can also lease that machine to other actors with more malicious intent.”
Corporate IT network and security managers, meanwhile, are in a precarious position because they cannot block all peer-to-peer traffic because legitimate P2P calls will be impeded; identifying devices, especially mobile devices, communicating with a peer-to-peer botnet is a challenge. Building a P2P botnet, however, isn’t the challenge it once was given the commercialization of the malware, while getting a P2P botnet operational requires some work.
In the end, the resiliency of a peer-to-peer botnet clearly has the attention of hackers.
“The resilience factor is extremely exciting to them,” Jerrim said. “It’s a sign for future [botmasters] seeking other evasion techniques.”