Continued Growth in Threat from P2P Botnets | Anomali

The first half of 2013 has seen a dramatic increase in the use of Peer to Peer (P2P) botnets. As early as April of 2013, Fortinet designated P2P botnet ZeroAccess its “top security threat” due to its 100,000/week new infections and its potentially $100,000 USD/day profit generation. Though Citadel, one of the largest of the P2P botnets recently suffered a significant setback at the hands of the FBI and Microsoft, the P2P threat remains and continues to grow.

Key villains in the P2P botnet sphere are Citadel, ZeroAccess and Sality. It is estimated that ZeroAccess and Sality alone have infected over 1,000,000 computers. To put that number in perspective, new research indicates that perennial troublemaker Zeus has reached only 200,000 nodes. This may initially seem like a staggeringly large number. In fact, the infection numbers have recently been revised upwards due to new data generated by Dutch researchers working on the Sality P2P botnet.

The traditional method for gauging the scale of a P2P botnet was to query peer lists from known bots one by one. Eventually, it was hoped, you would map the entirety of its spread. The Dutch researchers came up with a new approach in which they stealthily incorporated their own systems into the botnet and engaged in active command and control (C2) dissemination. In this manner they were able to revise Sality infection numbers from 22,000 to 920,000.

P2P botnets are frustratingly resistant to attempts to neutralize their spread and mitigate their effects. This is due to the distributed nature of their C2 systems. Unlike older botnet models with a centralized C2 node which periodically disseminated directives to its zombie systems, P2P botnets lack a central server. Instead, they communicate with a set group of peers, which in turn communicates with another set of peers, eliminating the need for a central communications node.

Image courtesy of Reuters

Considering this difficulty, the question remains, what should be done? In early June of 2013, the FBI in concert with Microsoft and law enforcement agencies from over 80 countries struck a massive blow to the Citadel P2P botnet. At its height Citadel controlled over 5 million systems and likely stole at least $500 million US from financial institutions including American Express, Bank of America, Citigroup, Credit Suisse, eBay’s PayPal, HSBC, JPMorgan Chase, Royal Bank of Canada and Wells Fargo. According to the FBI and Microsoft they neutralized 1000 of 1400 Citadel bots.

Though this is a significant blow to the efficacy of Citadel, the remaining 400 bots are still active. Additionally, other P2P botnets such as ZeroAccess, TDL4/TDSS, and Zeus V3 remain active and continue to augment their networks. Analysts from Dambala recently noted a five-fold increase in malware spread via P2P during the last 12 months. Its evident that this is a persistent an increasingly sophisticated threat which demands agile information security solutions.


Modern Honey Network

Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.