Ransomware and botnets using peer-to-peer networks are taking off this year, according to cyber-security specialists.
Stealthy by nature, criminals use botnets for a myriad of malicious activities, including denial-of-service attacks, spam, and banking fraud.
ZeroAccess, Sality, Zeus and Kelihos are some of the biggest and most resilient botnets to date. For instance, Kelihos, has been taken down a number of times as attackers created new versions of the network each time. And GameOver Zeus, a variant of the Zeus family of bank credential-stealing malware has successfully used a decentralized network infrastructure of compromised personal computers and web servers to execute commands and infect millions of computers.
The advantages of P2P
Centralized servers are routinely tracked and blocked by the security community. Malware creators prefer a P2P network of infected hosts to communicate and distribute data because these peers act as a massive proxy network. Compromised bots talk with each other to propagate binary updates, distribute configuration files, and to send stolen data. Without a single point of failure, the lack of a C&C infrastructure makes them more resilient to takedown efforts.
Botnets from P2P applications are also becoming more sophisticated in their communication methods, and this makes eradicating even more difficult. They lay low to elude the standard discovery techniques which look for abnormal network behavior.
This way P2P botnet traffic does not necessarily look malicious or harmful, so it may not trigger a warning. But it does create noise, meaning high volumes of traffic, high network latency and traffic on unusual ports. If businesses don’t constantly monitor their entire corporate network, they won’t be able to identify P2P traffic.
Here is where network monitoring proves helpful. Networking monitoring is a critical IT tool that serves several purposes:
There are a few ways to identify P2P activity on a network:
Unfortunately, there is no one-fit-all solution for the identifying P2P traffic. Nonetheless, network monitoring plays an important role.
Network monitoring solutions have other functionalities as well. They allow you, the system administrator, to study a constant problem with a closer eye. For example, if a piece of hardware is constantly tripping, it may be the time to replace this hardware. The same would apply for a constant crashing service. Should you notice that a service or a particular application is frequently crashing, it might be a good idea to look into troubleshooting the application.