31 May 2013

Peer-to-Peer Botnets Grow Larger, Make Takedown Harder

Peer-to-peer botnets have witnessed a dramatic surge over the past three years, but it appears the number of infected computers in these zombie networks is exceeding all expectations.

Following the dismantling of notorious classical botnets such as Mariposa and Rustock, cyber-criminals have focused their attention on developing decentralized botnets that communicate in a peer-to-peer manner to avoid decapitation. While conventional botnets rely on communication with a specific number of motherships, peer-to-peer botnets use other infected hosts to pass commands and eliminate the risk of getting its command and control servers seized and taken out of business.

When estimating the size of a peer-to-peer botnet, researchers often query peer lists from known bots and go from one infected PC to another to track the number of infections. Researchers Christian Rossow, Dennis Andriesse, Tillmann Werner, Brett Stone-Gross, Daniel Plohmann, Christian J. Dietrich and Herbert Bos at VU University Amsterdam deployed a network of sensors into the P2P botnets to estimate the number of affected computers. They learned that systems infected with the Sality file infector numbered one million, rather than the estimated value of 22,000.

“To spy on these botnets, we modeled reconnaissance methods and evaluated the resilience of current P2P botnets to these methods. That is, we evaluated to what extent the P2P botnets are able to deter malware analysts from enumerating the bots in the network. Luckily, all current P2P botnets can be enumerate quite easily,” wrote Christian Rossow on his blog.

Despite their resilience, the researchers came up with two reliable ways of taking down peer-to-peer botnets: sinkholing (siphoning traffic to a server controlled by a botnet attacker) and partitioning (splitting the botnet into unusable botnets). The full paper is available on the author’s website.