On the New Generation of P2P Botnets

Monday, June 18, 2012

Pierluigi Paganini


(Translated from the original Italian)

Zeus is one of the longest-running malware strains that has raged for years, appearing in various forms on the web thanks to the continuous changes made by the cybercrime industry.

The great diffusion of the malware in the cybercrime underground is due the different development services available to modify the agent for specific purposes.

The source code of the malware was published in the internet underground, giving the opportunity to third-parties to modify it and implementing the crime to crime model (C2C) that we have defined in the past as "malware as service".

Zeus is a malware used mainly to steal information such as bank credentials from infected device.

At the end of 2011 Symantec researchers identified a new Zeus variant that does not solely rely on command and control (C&C) servers but uses P2P communications to transfer commands from compromised hosts in a botnet.

The interesting feature is that P2P communication is used as a backup system in case the C&C servers are not reachable.

Really interesting is the concept of automated "self-sufficient" botnets using peer-to-peer networks in which each node can operate as a slave or as a master giving orders to other PCs and exchanging information acquired illegally from the victims.

Andrea Lelli explained:

"Every peer in the botnet can act as a C&C server, while none of them really are one. Bots are now capable of downloading commands, configuration files, and executable from other bots -- every compromised computer is capable of providing data to the other bots,"

 (click image to enlarge)

In similar botnets, each bot works as a Web server thanks to the presence of nGinx,  a minimal Web server that equips the malware. The communications between the nodes in the network are based on HTTP protocol.  

This new type of botnet is really worrisome because it is hard to fight due to the absence of a point of failure represented in a classic botnet architecture by the C&C servers.

Botnets on distributed peer networks are so very difficult to identify. Systems such as ZeusTracker are not able to track this variant due the impossibility of adding the complete list of components of a P2P network as opposed to only the IP addresses of C&C servers.

To further avoid tracking, the communications mainly use UDP protocol because TCP is easily detectable. The Bot does not perform any authentication on the packets exchanged, so anyone can impersonate the Bot and successfully communicate with other Bots for downloading stuff like configuration data, and this feature could be used to exploit the network.

The handshake phase between bots is possible using a homebrewed UDP, and after a successful connection, the nodes start to exchange TCP data (e.g. configuration files, list of other peers, etc).

What is still a mystery is how the information is received by the botmaster, that's why analysis is still ongoing. 

It has been hypothesized that specific conditions can trigger the communication with a specific server to transfer the stolen information. Preliminary research suggests that stolen information may still be transmitted back to botmasters using classic methods rather than being relayed through the P2P network.

The Zeus case is not isolated. Recently Kaspersky Lab - in collaboration with CrowdStrike Intelligence Team, Dell SecureWorks and members of the Honeynet Project - dismantled the second Hlux botnet (aka Kelihos).

This botnet was scary because of its size. It has been estimated it was three times larger than the first Hlux / Kelihos botnet dismantled in September 2011. After only 5 days into the operation, Kaspersky Lab had already neutralized more than 109,000 infected hosts. It is estimated that the first botnet Hlux / Kelihos had only 40,000 infected systems.

The event has demonstrated how hard it is becoming to tackle the new generation of botnets due the use of the peer-to-peer technology first implemented in Kelihos. The new variants of malware incorporate P2P technology to eliminate the need for a C&C server, for avoiding detection, and to thwart the immunization campaigns meant to decapitate the malicious networks.

Another example of these botnets is the Alureon / TLD4 botnet which can survive indefinitely in absence of its C&C servers, making difficult their detection.

The new trend in the development of botnets is to provide them the capability to be "independent" from control servers, surviving by becoming anonymous for long periods and infecting many machines in the process.

The botnet battle is difficult, and the changes observed in the botnet scene are the result of a development model for malware that is akin to the development of products in the legal software industry.


Cross-posted from Security Affairs

Possibly Related Articles:
Viruses & Malware
Information Security
malware Botnets P2P Cyber Crime Zeus Automation Command and Control Malware-as-a-Service
Post Rating I Like this!
Michael Johnson Definitely a work of genius. While it's unlikely to be any more resilient, the botnet could be repurposed for anything without having to redeploy the malware.
Perhaps the worst thing about it is the possibility of other criminals propagating their own updates across the network in order to exfiltrate data to their own C&C servers. If that happens, anyone becoming a victim if ID theft here would be hit very hard.
Pierluigi Paganini Hi Michael, this type of botnet are really insidious due the reasons I exposed in the article. At the moment the Achilles' heel is represented by the possibility to simply infiltrate the botnet with external agent. The next step for cyber crime will be to include mutual auth mechanisms for communication between bots ... and tunnelling process to hide traffic ... in this scenario it will be hard to detect similar cyber threats.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.