Malware swarming on P2P networks

Security firm Damballa found that that the number of malware samples that use P2P communications has increased fivefold during the past 12 months.

As malware continues to evolve, much of the most up-to-date malware – including ZeroAccess, TDL v4, and Zeus v3 – are now leveraging P2P capabilities to evade detection from traditional signature, sandboxing and blacklisting techniques. P2P is being leveraged by command-and-control (C&C) instructions and data transfers in particular.

"With P2P, we are seeing advanced threats being able to adapt to changing environments,” said Brian Foster, CTO at Damballa, in a statement. “As the security industry starts to mitigate the risks from advanced malware by detecting communication 'up' to C&C, malware authors incorporate 'sideways' P2P communication so there is no one set of addresses that can be blocked."

While many enterprises attempt to shut down P2P activity through the use of traditional and application firewalls, today's increasingly mobile workforce is ushering in an increase in P2P-based malware, which has the ability to leak data or conduct other nefarious behavior when devices are outside.

Because of its swarm characteristics, malicious P2P traffic is hard to detect and block using traditional approaches. Those typically rely on databases or “zoos” of known IP addresses and hosts associated with command-and-control servers.

"Threat actors have taken note of the broader adoption of P2P, as well as P2P's lack of a centralized control infrastructure, which provides resilience to take down," said John Jerrim, senior research scientist at Damballa. "Today's most sophisticated malware toolkits are including P2P capabilities as a means to avoid the use of direct C&C. P2P does limit the threat actor's ability to be agile because the distribution of commands to infections is not immediate.”

He added, “We are seeing more threat actors accept this tradeoff in order to gain access to systems that have other defense mechanisms in place. In addition, we are seeing other threat actors using P2P as a backup technique, to resurrect infections should their primary control infrastructure be taken down."

 

What’s hot on Infosecurity Magazine?