The FBI, Justice Department and technology companies have had success shutting down botnets that rely on a centralized infrastructure and command and control servers to communicate with bots, steal data or send malicious commands.
Peer-to-peer botnets, however, have proven more difficult to take down. More criminal gangs who ply in financial fraud, identity theft or denial-of-service attacks are investing in P2P botnets because their lack of a C&C infrastructure makes them more resilient not only against law enforcement, but security analysts who want to enumerate these networks of compromised computers or disrupt their services.
A team comprised of researchers from the Institute for Internet Security in Germany, VU University of Amsterdam and American tech companies Dell SecureWorks and Crowdstrike collaborated on a research project that examined the resilience of peer-to-peer botnets such as ZeroAccess, Sality, Zeus and Kelihos in attempt to help curb their impact on cybercrime.
The group looked at the evolution of such botnets, starting with Waledac and Storm, both of which were vulnerable to takedown techniques and have been largely stunted. Next-gen botnets such as the P2P variant of Zeus and Sality are much more resilient to sinkholing, injection attacks, and other disruptive means used against botnets in the past.
Some botnets, such as Kelihos, have been taken down a number of times as attackers stand up new versions of the network. Most recently a version of Kelihos was taken down live at the RSA Conference 2013 by Crowdstrike researcher Tillmann Werner. Kelihos, like other botnets, is largely a spam bot, but has also been adapted to steal anything from credentials Bitcoin wallets.
“Many P2P botnets are far more resilient to takedown attempts than centralized botnets, because they have no single points of failure,” the researchers explained in the paper.
In peer-to-peer botnets, compromised bots talk to each other rather than to a central server. Often they employ custom protocols for communication that must be decrypted before they can be analyzed. Attempts to enumerate P2P botnets have been largely unsuccessful, the researchers said. Their model for analyzing a dozen P2P botnets had to overcome built-in resistance to malware analysis as well as efforts to counteract sinkholing where all bot traffic is redirected to a server controlled by a third party, or partitioning where the botnet is split into unusable sub-networks, the paper said.
The team used crawling and sensor injection techniques to estimate the size of the P2P botnets they studied and counted upwards of a million infected systems on some. The crawlers, however, may be significantly underestimating the size of the botnets because many are behind proxies or firewalls.
Sality and Zeus P2P proved to be the most resilient to analysis, the paper said. Sality uses a peer reputation scheme to determine whether bots can trust one another, while Zeus will blacklist sinkhole servers. Others use backup C&C channels to maintain communication in event of a disruption. Some of those include fast-flux DNS or even the use of domain generation algorithms found in the PushDo and TDSS/TDL-4 botnets.
Sality also has some staying power with versions maintaining a working presence since 2007; ZeroAccess versions have been active continuously since 2009.
Of the four P2P botnet families observed in the study, Kelihos was most vulnerable to sinkholing. Researchers found they were able to push new peer lists to other peers and replace local entries at once Versions 1 and 2 were poisoned in this way and new entries under control of security researchers were propagated in this way. Kelihos uses fast-flux DNS as a fallback, the researchers said, and will use a hard-coded domain to recover connectivity to the rest of the network.
“Since the Kelihos v3 botnet uses effectively the same P2P protocol and architecture as Kelihos v1 and v2, a full scale sinkholing attack analogous to the previous ones would succeed again,” the paper said.
Sality’s reputation scheme, on the other hand keeps it alive and kicking. Bots share peer lists only with other bots with a spotless reputation; sinkhole servers must first gain a high reputation before they can work. In case of disruption, Sality has no backup C&C, but instead would rely on malware downloaded previously to recover.
ZeroAccess uses yet another means to maintain its peer lists. It updates its peer lists every few seconds, merges with previous lists and keeps the 256 most recent peers, meaning that researchers would have to flood the botnet with sinkholing announcements to stay on a list. It is possible to sinkhole ZeroAccess with some work, the researchers said. Similar to Sality, ZeroAccess can use downloaded malware plug-ins to recover from a sinkhole attack if necessary.
“Bots can be isolated by sending them peer lists containing invalid entries with very recent timestamps. The two ZeroAccess variants differ in their peer list exchange protocols,” the paper said. “In ZeroAccess v1, peer lists are only shared upon request. Thus, poisoning peers in this network requires serving poisoned peer list exchange messages from a sinkhole whenever it is asked for a peer list.”
Zeus P2P is the final family examined and researchers found they could be successful by attacking non-routable peers in the networks by feeding them manipulated peer lists, updating entries with sinkhole IPs.
“While our evaluation shows that some P2P botnets exhibit a high level of resilience, we also find that all real-world P2P botnets are susceptible to at least one of the mitigation strategies we model,” the paper said. “Regardless, implementing mitigation strategies against new P2P botnets remains non-trivial due to the need to understand the peculiarities of each botnet’s C&C protocol. Additionally, attacking networks containing millions of peers requires significant resources which may need to remain available over the long term. We believe that a discussion is required concerning alternative mitigation strategies against P2P botnets.”