READ detailS

Peer to peer botnets and the need for threat intelligence

Botnets and ransomware. How to filter P2P networks for security threats ?

Ransomware and botnets using peer-to-peer networks are taking off this year, according to cyber-security specialists.

Stealthy by nature, criminals use botnets for a myriad of malicious activities, including denial-of-service attacks, spam, and banking fraud.

ZeroAccess, Sality, Zeus and Kelihos are some of the biggest and most resilient botnets to date. For instance, Kelihos, has been taken down a number of times as attackers created new versions of the network each time. And GameOver Zeus, a variant of the Zeus family of bank credential-stealing malware has successfully used a decentralized network infrastructure of compromised personal computers and web servers to execute commands and infect millions of computers.

The advantages of P2P

Centralized servers are routinely tracked and blocked by the security community. Malware creators prefer a P2P network of infected hosts to communicate and distribute data because these peers act as a massive proxy network. Compromised bots talk with each other to propagate binary updates, distribute configuration files, and to send stolen data. Without a single point of failure, the lack of a C&C infrastructure makes them more resilient to takedown efforts.

Botnets from P2P applications are also becoming more sophisticated in their communication methods, and this makes eradicating even more difficult. They lay low to elude the standard discovery techniques which look for abnormal network behavior.

This way P2P botnet traffic does not necessarily look malicious or harmful, so it may not trigger a warning. But it does create noise, meaning high volumes of traffic, high network latency and traffic on unusual ports. If businesses don’t constantly monitor their entire corporate network, they won’t be able to identify P2P traffic.

Here is where network monitoring proves helpful. Networking monitoring is a critical IT tool that serves several purposes:

  • Optimizes network performance by identifying bottlenecks and other problems
  • Builds a database of critical information to help enforce security
  • Finds anomalous internal traffic that might be indicate a security threat

There are a few ways to identify P2P activity on a network:

  • Port-based analysis. Port based analysis is the most simple method to detect P2P traffic. It is based on the idea that many P2P applications have default ports to communicate with the outside. This technique is not bullet-proof since P2P programs have started using dynamic ports to connect to their servers or other clients, thus making them unpredictable.
  • Protocol-based analysis. Application layer protocol analysis monitors traffic passing through the network and inspects the data payload of the packets according to some previously defined P2P application signatures. However, static signature based matching requires new signatures to be effective when changes in signatures occur. The problem with this approach is that attackers change their signatures randomly and use tunneling to disguise their applications, so this method is not 100% efficient.
  • Client-based analysis relies on analyzing the changes in client computers. But a system administrator doesn’t always know if the user is manually deleting registry keys or executable files or there is P2P traffic involved.
  • Behavioral analysis. Anomaly detection is another way of detecting P2P traffic, since bots usually exhibit a different behavior from legitimate P2P users, such as sending queries periodically, always querying for the same content, or repeatedly querying but never downloading. Although this approach is effective for detecting known botnets, it is not very powerful in detecting new ones. That is why administrators rely on other tools, such as honeypots. They tend to use both approaches together to detect botnets and identify their C&C mechanisms.

Unfortunately, there is no one-fit-all solution for the identifying P2P traffic. Nonetheless, network monitoring plays an important role.

Network monitoring solutions have other functionalities as well. They allow you, the system administrator, to study a constant problem with a closer eye. For example, if a piece of hardware is constantly tripping, it may be the time to replace this hardware. The same would apply for a constant crashing service. Should you notice that a service or a particular application is frequently crashing, it might be a good idea to look into troubleshooting the application.

Cybersecure offers network monitoring services trusted by more than 150,000 administrators who monitor their LANs, WANs, servers, websites, appliances, URLs, and more.