Damballa Failsafe can now discover malicious P2P communications. It uses behavioral detection techniques to identify malicious P2P communication attempts from malware trying to evade detection.
P2P communications is increasingly used by malware for command-and-control (C&C) instructions and data transfers. Damballa has seen a 5x increase in the number of malware samples using P2P in the last 12 months.
As malware continues to evolve, much of the most up-to-date malware – including ZeroAccess, TDL v4, and Zeus v3 – are now leveraging P2P capabilities to evade detection from traditional signature, sandboxing and blacklisting techniques.
“With P2P, we are seeing advanced threats being able to adapt to changing environments. As the security industry starts to mitigate the risks from advanced malware by detecting communication “up’ to C&C, malware authors incorporate “sideways’ P2P communication so there is no one set of addresses that can be blocked,” said Brian Foster, CTO at Damballa.
“While many enterprises attempt to shut down P2P activity through the use of traditional and application firewalls, today’s increasingly mobile workforce is ushering in an increase in P2P-based malware, which has the ability to leak data or conduct other nefarious behavior when devices are outside,” he added.
Damballa Failsafe can discover malicious P2P attempts whether an enterprise has blocked P2P communications or not. It performs flow analysis on egress traffic and uses machine-learning algorithms to classify the traffic associated with P2P swarms as benign traffic or malicious command-and-control traffic and pinpoint which endpoints are infected.
“Threat actors have taken note of the broader adoption of P2P, as well as P2P’s lack of a centralized control infrastructure, which provides resilience to take down,” said John Jerrim, senior research scientist at Damballa. “Today’s most sophisticated malware toolkits are including P2P capabilities as a means to avoid the use of direct C&C. P2P does limit the threat actor’s ability to be agile because the distribution of commands to infections is not immediate. We are seeing more threat actors accept this tradeoff in order to gain access to systems that have other defense mechanisms in place. In addition, we are seeing other threat actors using P2P as a backup technique, to resurrect infections should their primary control infrastructure be taken down.”