P2P Botnets Larger than Thought

Friday, May 31, 2013 @ 03:05 PM gHale

Large botnets ZeroAccess and Sality control over one million infected computers using peer-to-peer communication, while the online banking Trojan Zeus has just reached 200,000 nodes, new research showed.

An international team of researchers got into the networks to determine these figures. As it turns out, the P2P botnets are much more resistant than originally thought regarding attempts to shut them down with targeted operations.

New Trojan can Avoid Capture
Botnet Builds off Ruby on Rails Bug
Ruby on Rails Patches Holes
Botnet Comes Back with DGA Gusto

Conventional botnets receive their orders from a central command-and-control server, which also constitutes their main weak point. If that server shuts down, the botnet master loses control of the infected computers.

Newer botnets, however, are going the decentralization route and using peer-to-peer structures like the ones used in file-sharing networks. In this situation, the infected systems network with each other, and each zombie computer has a list of direct communication partners that belong to the same botnet.

So far, the strategy for figuring out the size of a P2P botnet has been to query peer lists from known bots and then go from one to the next in the hope that, eventually, all of the infected systems will end up tracked. Such “crawling”, however, results in figures that are far too low, said Christian Rossow of VU University Amsterdam, The Netherlands and Institute for Internet Security, Gelsenkirchen, Germany, Dennis Andriesse of VU University Amsterdam, The Netherlands, Tillmann Werner of CrowdStrike, Inc., Brett Stone-Gross of Dell SecureWorks, Daniel Plohmann of Fraunhofer FKIE, Bonn, Germany, Christian J. Dietrich of Institute for Internet Security, Gelsenkirchen, Germany and Herbert Bos of VU University Amsterdam, The Netherlands, who sneaked their own systems into the P2P botnets. Those systems actively participated in communication and were thus able to register all the active bots. In just one day, their sensors detected more than 920,000 computers under the control of one instance of Sality. The crawlers had found only 22,000 of the botnet’s victims.

One major reason for the differences is botnet clients are quite picky these days about which computers they add to their active peer list. Home computers, for example, are almost never included, since it is difficult to get past a NAT router from the outside.

There’s more bad news when it comes to shutting these botnets down. One approach frequently discussed is sinkholing, in which security specialists try to fill the bots’ peer lists with their own systems’ addresses in order to put a stop to communication within the P2P network. In their investigation, however, the researchers realized some of the P2P botnets are more resistant to that strategy than originally thought. A case in point, Sality has an internal reputation system for communication partners, and it is difficult to take the place of a real bot with a high rating in the peer list.

Researchers’ findings come mainly from analysis of actual bots. In their paper, “P2PWNED: Modeling and Evaluating the Resilience of Peer-to-Peer Botnets“, researchers present a method for describing P2P botnets with formal models that can then also simulate certain operations.

Leave a Reply

You must be logged in to post a comment.