Q

Is it possible to detect today's peer-to-peer (P2P) botnets?

Historically, botnets used centralized architectures for command and control. In this SearchSecurity.com Q&A, Ed Skoudis explains how attackers have upgraded the botnet structure using peer-to-peer (P2P) technology.

How do today's peer-to-peer (P2P) botnets stack up against botnets of the past?

P2P botnets are just plain evil, I tell ya. Historically, botnets used centralized architectures for command and control. In this architecture, each bot-infected machine logs into a shared communications resource, such as an IRC (Internet Relay Chat) channel, and seeks evil commands from a bot-herder. Even today, most botnets are designed this way.

But the centralized architecture causes problems for the bad guys: it creates a single point of failure. If diligent investigators shut down the IRC channel or even remove the server(s) associated with that channel, the botnet becomes headless. An attacker might have spent a lot of time and effort setting up a botnet of 500,000 machines, possibly earning thousands of dollars per day, too, from the malware being propagated. If the IRC channel disappears, however, the whole criminal enterprise is blown out of the water.

To remedy this situation, attackers are turning to peer-to-peer (P2P) communication. In such an approach, an active bot on a machine can scan for other close machines that might have the same bot, one that's controlled by the same attacker. The bot can then join a botnet cloud of encrypted P2P communications. The bots can find each other nearby, making the collective unit self-aware, multi-connected and self-healing. If a given bot notices that its communicating peers have disappeared, it looks for more. So, in this arrangement, there is no single point of failure. The attacker can inject commands into any part of the botnet cloud, using crypto-algorithms to implement authentication. The bots will then dutifully distribute the commands amongst themselves, as the message cascades through the P2P botnet.

P2P botnets are persistent and difficult to remove in their entirety. It's important to carefully analyze a bot specimen and how it authenticates itself to nearby bot peers. It's also useful to investigate how commands from the attacker are formulated and authenticated. This required level of examination demonstrates just how insidious the average bot specimen has become.

More information:

This was first published in July 2007

Dig deeper on Malware, Viruses, Trojans and Spyware

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close