14 DAY TRIAL // According to new research from security solutions provider Damballa, peer-to-peer (P2P) is increasingly used by threat operators and bot masters to obscure command and control (C&C) communications. To address such threats, the company has enhanced Damballa Failsafe to discover malicious P2P communications.
The company reports that the number of malware samples using P2P communications has increased five times over the last 12 months.
Notorious pieces of malware such as ZeuS, TDL and ZeroAccess have all started leveraging P2P capabilities to evade being detected by traditional security systems.
“With P2P, we are seeing advanced threats being able to adapt to changing environments. As the security industry starts to mitigate the risks from advanced malware by detecting call-backs ‘up’ to C&C, malware authors incorporate ‘sideways’ P2P communication so there is no one set of addresses that can be blocked,” noted Brian Foster, CTO at Damballa.
“While many enterprises attempt to shut down P2P activity through the use of traditional and application firewalls, today’s increasingly mobile workforce is ushering in an increase in P2P-based malware, which has the ability to leak data or conduct other nefarious behavior when devices are outside.”
Damballa Failsafe is capable of detecting malicious P2P communications by performing traffic analysis. It relies on machine-learning algorithms to determine if traffic is benign or malicious.
“Threat actors have taken note of the broader adoption of P2P, as well as P2P’s lack of a centralized control infrastructure, which provides resilience to take down,” explained John Jerrim, senior research scientist at Damballa.
“Today’s most sophisticated malware toolkits are including P2P capabilities as a means to avoid the use of direct C&C. P2P does limit the threat actor’s ability to be agile because the distribution of commands to infections is not immediate,” Jerrim added.
“We are seeing more threat actors accept this tradeoff in order to gain access to systems that have other defense mechanisms in place. In addition, we are seeing other threat actors using P2P as a backup technique, to resurrect infections should their primary control infrastructure be taken down.”
