Due to decentralized feature of P2P network shutting it down is not trivial task. You can't like in case of Rustock just go and simultaneously turn off all known C&C with DDoS on their infrastructure to break their communication/possible migration, because there is no C&C.
There are still few possibilities to shutdown it, all require deep reversing of network protocol used by specific malware and cracking crypto algorithms used by it.
1. Poison p2p network by inserting sinkholes. This is generic method as bots in p2p network connects each other and share their list of nodes. Once bot connects to sinkholed node it gets fake list of nodes (can be all sinkholed) and every bot that connects to this bot will receive poisoned list of nodes. Machine will still be infected by malware. Malware operators may (and likely does) monitor state and can take countermeasures against this method as poisoning works not immediatelly. This method was used by Crowdstrike and Kaspersky to shutdown Kelihos. Results? You already know - malware authors quickly pushed new version with updated protocol and renewed their botnet. They did this already few times.
2. Botnet relying on bootstrapping is vulnerable during its early stage. Physically isolating or shutting down bootstrap servers or the bots in the initial list that is hardcoded in bot code can prevent a new botnet from life. Sound almost fantastic. ZeroAccess for example already established botnet and every new bot pushed from drop zones has it predefined list of frequently updated peers.
There are of course exists other ways, above are just most generic. However effectivity of them doubful.
You can't send command to self-destruction simple because there is no such command (exists only in lame malware and holywood hackers movies). You can't use botnet command to forcebly upload any remover to affected computer - because this is users privacy violation, intrusion attempt and victims may sue the company who tried to do this (not the malware authors but you). Especially imagine what will be if your removal tool will fuckup anything on that computer. Welcome to the court and media scandal.
If we are talk about ZeroAccess/Sirefef as the most sophisticated and interesting malware currently available, its P2P functionality implemented inside module usually seen on infected machines as "n". Internally this is dll named p2p.32.dll (or p2p.64.dll for x64). It is very simplified P2P client, it only supports three commands:
- getL - get list of nodes
- retL - send list of nodes
- newL - publish node
when "n" takes control it start to listen UDP port. Malware reads bootstrap peers lists from s32, _32 (s64, _64) files (format described in
http://www.kernelmode.info/forum/viewto ... 582#p18582). Then it starts to send packets using UDP protocol. Each ZeroAccess has packet header described by the following structure
Code: Select alltypedef struct _zpackethead {
DWORD dwCheckSum; //CRC32
DWORD dwCommand; //getL, retL or newL
DWORD dwHop; //used in nodes publication
DWORD dwData; //used to store IP address or session ID
} zpackethead, *pzpackethead;
Actual data encrypted and starts after this header (including some other structures used by bot).
While work bot continiously exchange nodes list by sending getL commands.
If dwHop in incomming packet of retL command is equal to 1 then bot thinks it is supernode (has external IP) and transmites newL command to 16 nodes from it current nodes list (nodes are taken depending on the last active time - starting from most newer). It sets dwData to IP address, dwHop to 8. When other bot receives newL command, it gets node IP address from dwData and does ListOfNodes.IndexOfNode(dwData). If there is no such IP, bot extends list. After this bot sends retL to his 16 nodes to continue new node publication with dwHop decreased by one. Publication continues until dwHop != 0 or new node IP is not known by all other nodes.
retL command packet looks like this
packet start
zpackethead Head;
DWORD dwNodeCount;
znode zNodes[dwNodeCount];
DWORD dwDataBlocksCount;
zdata zData[dwDataBlocksCount];
packet end
You maybe all wondered why ZeroAccess filenames are has a hexademical numeric looking (e.g. 000000c0, 000000cf), the explanation of this inside implementation of P2P protocol used by ZeroAccess. Bot works as downloader using retL command and TCP connection for actual payload download.
zdata structure
Code: Select alltypedef struct _zdata {
DWORD dwFileId; //filename as dword
DWORD dwFileTime;
DWORD dwFileSize;
UCHAR uHash[128]; //used to check
} zdata, *pzdata;
If there is no such file on target machine, or it outdated compared to received data, bot downloads update/new file by sending new specific packet containing 3 first fields from zdata structure. Files are transmitted as RC4 encrypted with a key of MD5 of the structure describing download.
Take a note - even if the commands stay the same - ZeroAccess protocol updates. For example previously it used different set of commands - getL, getF, srv? - maybe some old bots still use this set.
Now looking on this architecture think how it can be shutted down.
