Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Malware Increasingly Using P2P for C&C Functions: Report

Malware is increasingly shifting to peer-to-peer communications when receiving instructions from command-and-control servers and transferring stolen data to evade detection, Damballa said in a new report.

Malware is increasingly shifting to peer-to-peer communications when receiving instructions from command-and-control servers and transferring stolen data to evade detection, Damballa said in a new report.

Damballa observed a five-fold increase in the number of malware samples using p2p to communicate with command-and-control infrastructure in the last 12 months, the company found in its report, released Thursday. Several of the latest malware variants, including ZeroAccess, TDL v4, and Zeus v3, already have p2p capabilities to evade detection by existing security products, the report said.

While enterprises may attempt to shut down p2p activity, there are legitimate applications that use p2p, such as Skype and Spotify. P2P is no longer about illegal file-sharing. The widespread acceptance of p2p applications is “ushering in an increase in P2P-based malware,” Damballa said. By using p2p to contact the C&C servers, criminals can ensure that their malicious traffic doesn’t raise any flags as it passes through the network and bypasses traditional network defenses.

“With P2P, we are seeing advanced threats being able to adapt to changing environments,” said Brian Foster, CTO of Damballa.

Similar to how malware authors have come up with new programmatic techniques to evade antivirus and other security scanners, cyber-criminals are adopting new techniques to hide the traffic flowing between the infected machine and the control servers, the report found. By using a decentralized model, where infected “peers” act as a server and host to each other, criminals now have an “indestructible communication structure that cannot be easily discovered,” Damballa wrote in its report.

“Threat actors have taken note of the broader adoption of P2P, as well as P2P’s lack of a centralised control infrastructure, which provides resilience to take down,” said John Jerrim, senior research scientist at Damballa.

P2P slows down communications to infected machines, but it makes the operation much more resilient. Even if the top server is knocked offline, other machines can still communicate with the infected machine until a new master server comes back online to resurrect the campaign.

While ZeroAccess and Zeus use p2p as their primary means of communications, TDL4 uses p2p as a fallback mechanism if direct C&C communications are blocked, the report found.

Advertisement. Scroll to continue reading.

Along with the report, Damballa announced that it has added P2P Profiler to its Damballa Failsafe platform to discover and analyze p2p communications. Damballa Failsafe performs flow analysis on egress traffic and uses machine-learning algorithms to classify p2p traffic on the network as benign or malicious. Failsafe can also pinpoint which endpoint is the originator of the malicious p2p traffic.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...