Malware authors are increasing their use of peer-to-peer protocols for command and control, making detection more difficult, according to advanced threat protection vendor Damballa.
Many enterprises have installed defenses that can detect when external, centralized command and control
"As these advanced threats are looking for evasion techniques to keep hidden, we are seeing bigger adoption of peer-to-peer, a five-times increase over the last 12 months," said Stephen Newman, vice president of products for Damballa. "We've seen [P2P] in malware for a while, but it's never really taken off with the kind of growth we've observed [recently]."
Increased use of P2P tactics is an example of the traditional arms race between attackers and defenders, said Rick Holland, senior analyst with Cambridge, Mass.-based Forrester Research.
"Attackers want to maintain availability of their botnets just like enterprises want to maintain availability of their corporate systems," Holland said. "As security controls improve, and detecting and blocking traditional botnet [command and control] occurs more frequently, the attackers naturally adopt other techniques that maintain the availability and resiliency of their botnets."
Newman said malware authors are using P2P protocols is a variety of ways. The click-fraud and BitCoin-mining malware ZeroAccess, for instance, uses P2P as its primary command and control method. Infected devices can carry out mining and click fraud independently for long stretches. The fraudster needs to check in only occasionally to track a bot's progress, so centralized control isn't critical.
TDL4 is a resilient form of malware that downloads rootkits and opens backdoors on infected systems. It typically needs more directed command and control, so its authors use a variety of methods including P2P to maintain contact with infected devices.
"This gives [hackers] flexibility and resilience should they have any [centralized command and control] takedown issues," Newman said.
Some enterprises block all P2P activity on their networks, but that policy won't solve the problem, especially since many infected devices are mobile, Newman said. "[P2P malware] can exfiltrate that data when [the device] goes home to an ISP or to a coffee shop. Not only that, they can also be updated, so now the malware can receive instructions for a new command and control server if they run a centralized system. And then, from within the organization, they can openly communicate again. Just because it was blocked one time doesn't mean the organization doesn't desperately need to discover this infected device."
The new Damballa Failsafe P2P profiler uses machine learning to identify P2P communications patterns that signify malware and uses that knowledge to track down infected devices.
"By studying the behaviors of a device when it's making attempts to communicate out, we can profile an endpoint and differentiate the malicious peer-to-peer connection attempts from more traditional, benign communications based on how and where and what kinds of protocols they are using," Newman said.
Forrester's Holland said the rise of P2P malware emphasizes the need to protect networks with an ecosystem of technologies rather than point solutions. Network visibility from a company like Damballa is just a link in the chain.
"This is where combining one of the advanced endpoint security solutions with network visibility is useful," he said. "Enterprises need to take a combined approach to dealing with threats, regardless of the threat vector. Threat vectors will always change, based on our ability to do computer network defense. Instead of chasing the threat vector du jour, companies must understand what they need to protect and assure that the appropriate mix of detective and preventive controls are deployed on their networks and assets."
Let us know what you think about the story; email: Shamus McGillicuddy, News Director