THOR: a new P2P botnet for sale

Botnets are networks of compromised computers under the control of a hacker or hacker group. They are primarily used to deliver huge amounts of spam or to direct a distributed denial of service (DDoS) attack against a particular target. They are traditionally based on a centralized architecture with a central command and control (C&C) server commanding the individual compromised computers (bots). 

Now a new botnet, named THOR and coded by TheGrimReap3r, is nearing completion and being offered for sale at $8000 on the criminal underground. THOR does not use a central C&C. It has a decentralized architecture based on peer-to-peer (P2P) technology. P2P botnets are the latest innovation in the battle between whitehat security researchers and law enforcement agencies and the blackhat criminal underground. The ‘weakness’ in the traditional centralized architecture, Panda Security’s technical director Luis Corrons told Infosecurity, is that is not impossible to track down the C&C server, and “if you are able to shut it down you can kill the botnet (the bots will be there but the cybercriminal won’t be able to control them).”

“The infamous Conficker worm was the first to use P2P technology to control its botnet,” says Ram Herkanaidu, education manager at Kaspersky Lab. “In so doing, it introduced resilience into the system.”

RandomStorm’s researcher Robin Wood explained the methodology of new P2P botnets. “P2P botnets,” he said, “let the controller inject commands into the network and have the bots disseminate the commands amongst each other. This removes the head and makes the network much harder to take down.” It also, he added, makes it harder to find the criminal behind the botnet. With a traditional C&C botnet, “if defenders can gain control of the command server they can watch for connections and try to trace the bot herder back to his own machine. In the P2P model, the herder can simply connect to a single bot and inject commands, using a different bot each time, so that it becomes a lot harder to track him down.”

The reason, said Herkanaidu, is to make more money. Botnet developers “can either use it themselves or more likely, rent it out to other cybercriminals to spread malware, send spam, act as a proxy service or other nefarious purposes. Of course if they can offer a highly stable platform, they can in turn charge more for this service.”

But P2P botnets are not without their own problems. “Control can become less absolute,” says James Wyke, a malware expert at SophosLabs. “By this I mean that new instructions need to be seeded into the botnet and it will take time for them to permeate to all nodes. Some nodes may also get orphaned if they lose contact with all the other nodes that are still live.” Some P2P botnets have been susceptible to takeover through inadequate authentication, he added. “This means that a rogue node could spread false data throughout the botnet and result in the original owner losing control,” he explained. “This can generally be overcome by using cryptographic mechanisms such as signing update files with the botnet owner's private key.” THOR, claims TheGrimReap3r, uses “256-AES encryption with random key generation at each startup” and that 8192-bit RSA will be used for instruction signing – ironically adding that “the NSA recommends 2048-bit”.

While P2P botnets are potentially more difficult to takedown, ESET senior research fellow David Harley points out that they are not impregnable. Although none of the bots carry all of the instructions, “it doesn’t make them ‘indestructible’ as has sometimes been claimed – since at least some of the control data is available on all machines, we can often use infected systems for analysis and monitoring.”

What’s Hot on Infosecurity Magazine?