Subscribe

Damballa thwarts malicious P2P comms

Staff Writer
By Staff Writer, ITWeb
Johannesburg, 06 Jun 2013

Threat protection solutions provider, Damballa, has revealed that its Damballa Failsafe solution can now discover malicious peer-to-peer (P2P) communications.

The vendor explains that Damballa Failsafe uses behavioural detection techniques to identify malicious P2P communication attempts from malware trying to evade detection.

According to Damballa, P2P communications is increasingly used by malware for command-and-control (C&C) instructions and data transfers. Damballa has seen a five-fold increase in the number of malware samples using P2P in the last 12 months, it says. As malware continues to evolve, much of the most up-to-date malware - including ZeroAccess, TDL v4, and Zeus v3 - are now leveraging P2P capabilities to evade detection from traditional signature, sandboxing and blacklisting techniques, it adds.

"With P2P, we are seeing advanced threats being able to adapt to changing environments. As the security industry starts to mitigate the risks from advanced malware by detecting communication 'up' to C&C, malware authors incorporate 'sideways' P2P communication so there is no one set of addresses that can be blocked," says Brian Foster, CTO at Damballa.

"While many enterprises attempt to shut down P2P activity through the use of traditional and application firewalls, today's increasingly mobile workforce is ushering in an increase in P2P-based malware, which has the ability to leak data or conduct other nefarious behaviour when devices are outside."

Damballa Failsafe can discover malicious P2P attempts whether an enterprise has blocked P2P communications or not, the vendor explains, adding that it performs flow analysis on egress traffic and uses machine-learning algorithms to classify the traffic associated with P2P swarms as benign traffic or malicious C&C traffic and pinpoint which endpoints are infected.

"Threat actors have taken note of the broader adoption of P2P, as well as P2P's lack of a centralised control infrastructure, which provides resilience to take down," says John Jerrim, senior research scientist at Damballa.

"Today's most sophisticated malware toolkits are including P2P capabilities as a means to avoid the use of direct C&C. P2P does limit the threat actor's ability to be agile because the distribution of commands to infections is not immediate. We are seeing more threat actors accept this trade-off in order to gain access to systems that have other defence mechanisms in place. In addition, we are seeing other threat actors using P2P as a backup technique, to resurrect infections should their primary control infrastructure be taken down."

Share