{
	"id": "e5b3d32a-bac5-4f40-88d8-0d625ba54ddc",
	"created_at": "2026-04-06T00:11:33.339609Z",
	"updated_at": "2026-04-10T13:12:45.695564Z",
	"deleted_at": null,
	"sha1_hash": "1112abdf53cdc1d70ace6f4e65d5ba86f7550e2e",
	"title": "Overcoming the Challenges of Detecting P2P Botnets on Your Network",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1518336,
	"plain_text": "Overcoming the Challenges of Detecting P2P Botnets on Your\r\nNetwork\r\nBy by Alessandro Di Pinto | October 13, 2020\r\nArchived: 2026-04-05 16:26:28 UTC\r\nIn the first six months of 2020, the Mozi, DDG and FritzFrog botnets were very active, and exhibiting some pretty\r\ninteresting behaviors.\r\nThreat actors use peer-to-peer (P2P) botnets like these to build a platform that can later be used to carry out\r\nmalicious operations, such as large-scale Distributed Denial of Service (DDoS) or mining for crypto currencies.\r\nEarly-generation botnets followed a client-server model for command and control (C\u0026C), making use of popular\r\nprotocols like IRC and HTTP, or implementing custom ones. However, the simplicity of this architecture offered\r\nlittle resilience.\r\nAnalyzing the new architectural designs of recent botnets can help us understand emerging botnet techniques, and\r\nhow to use network artifacts to detect and mitigate their activity.\r\nRecent Evolution of Botnet Platforms\r\nOne of the first countermeasures taken by botnet operators to address the architectural weaknesses involved\r\nrelying on so-called bulletproof hosting. In laymen’s terms, it meant finding a hosting provider willing to turn a\r\nblind eye to client activity.\r\nA second, often complementary solution involved using Domain Generating Algorithms (DGAs) as failsafes for\r\nsituations where the C\u0026C became unreachable. This technique consisted of embedding an algorithm within the\r\nbot to generate a series of domains that the malware would attempt to contact. The operator of the botnet only\r\nneeded to register one of these domains and make it accessible to the bots.\r\nThis new situation, where the C\u0026C could change over time, also meant that each and every bot required a strategy\r\nto verify the identity of the controller. To avoid hostile takeovers, botnets started relying on digital signatures to\r\nvalidate each command received from the network or a configuration update.\r\nThe need for increased takedown resistance eventually drove botnet operators to adapt and explore peer-to-peer\r\napproaches. A further evolution involved using a hybrid model, rather than a pure peer-to-peer model. In a P2P\r\nhybrid network topology, the botnet can survive a takedown of nodes with specialized roles, and reorganize itself\r\naccordingly.\r\nWhy Peer-to-peer Botnets Are Challenging to Disrupt\r\nIn general, it can be quite challenging to disrupt the malicious activities of P2P botnets. Take, for example, the\r\neffort coordinated by Microsoft in March 2020.1 The company called on its technical and legal partners in 35\r\nhttps://www.nozominetworks.com/blog/overcoming-the-challenges-of-detecting-p2p-botnets-on-your-network/\r\nPage 1 of 6\n\ncountries to disrupt Necurs, a popular hybrid peer-to-peer botnet.\r\nAccording to Microsoft: “This was accomplished by analyzing a technique used by Necurs to systematically\r\ngenerate new domains through an algorithm. We were then able to accurately predict over six million unique\r\ndomains that would be created in the next 25 months. Microsoft reported these domains to their respective\r\nregistries in countries around the world so the websites can be blocked and thus prevented from becoming part of\r\nthe Necurs infrastructure. By taking control of existing websites and inhibiting the ability to register new ones, we\r\nhave significantly disrupted the botnet.”\r\nWhile dismantling a peer-to-peer botnet might not be feasible for the average organization, there is still a lot that\r\nyour security teams can do.\r\nStart by considering the three main phases used by botnets, and where network artifacts are typically left behind:\r\nBot deployment: this is where the bot is deployed into a target system member of the network, for instance\r\nthrough an exploit, or by brute-forcing the credentials\r\nCommunication with the peer-to-peer botnets: this occurs during peer discovery, configuration updates\r\nand while receiving commands\r\nMalicious activity: the actual malicious activity the botnet was created for, such as sending spam,\r\ndistributing ransomware or bot propagation towards other systems\r\nUsing the right tools, your security teams can detect and disrupt botnet activity. To better understand these\r\nconcepts, let’s look into some practical examples.\r\nDDG Botnet\r\nDDG is a mining botnet that has been extensively documented by the researchers at 360 Netlab.2 While DDG\r\noriginally used DNS for command and control, it now uses a hybrid peer-to-peer model to control the nodes in its\r\nnetwork. DDG’s method of infection involves brute-forcing the root user password against SSH servers using a\r\nsignificantly large wordlist. Alternatively, DDG uses exploits against Redis, Nexus Repository Manager and\r\nSupervisord.\r\nOne of the first noticeable anomalies occurs when DDG receives its configuration from a super node by\r\nleveraging HTTP on non-standard ports. Another interesting and useful characteristic for tracking down DDG is\r\nthe use of a domain that was never resolved through the DNS, in the HTTP host header.\r\nhttps://www.nozominetworks.com/blog/overcoming-the-challenges-of-detecting-p2p-botnets-on-your-network/\r\nPage 2 of 6\n\nOne of the first noticeable anomalies occurs when DDG receives its configuration from a super\r\nnode by leveraging HTTP on non-standard ports.\r\nDDG Detection Tool: The Snort rule below, provided by the Nozomi Networks Labs team, can be used freely by\r\nthe security community to detect DDG activity:\r\nFritzFrog Botnet\r\nFritzFrog is another example of a recently discovered peer-to-peer botnet. It is written in the Go programming\r\nlanguage and relies on SSH credential brute-forcing as its propagation mechanism. The rate at which it is targeting\r\nSSH on standard and non-standard (2222) tcp ports makes FritzFrog a pretty noisy bot.\r\nTo detect the anomalous network behavior, we don’t need FritzFrog to find an open SSH server and try several\r\ncredentials. The raw number of connection attempts alone is sufficient, as you can see in the Wireshark\r\nscreenshots below.\r\nhttps://www.nozominetworks.com/blog/overcoming-the-challenges-of-detecting-p2p-botnets-on-your-network/\r\nPage 3 of 6\n\nThe raw number of FritzFrog botnet connection attempts are sufficient to detect its anomalous OT\r\nnetwork behaviour.\r\nMozi Botnet\r\nThe Mozi malware family makes use of a custom P2P protocol built on top of Distributed Hash Tables (DHT) in\r\norder to build a network of infected nodes. DHT is typically used by BitTorrent clients to identify peers using a\r\nkey (infohash), so at first glance, Mozi’s communication can hide among what looks like normal DHT traffic.\r\nAdditionally, to bootstrap the overlay network, Mozi relies on well-known BitTorrent nodes such as\r\nrouter.bittorrent.com, as shown in the screenshot below.\r\nMozi botnet attempts to guess credentials and initiate a number of connections to hosts not\r\npreviously seen in the network, leaving a noticeable trail.\r\nhttps://www.nozominetworks.com/blog/overcoming-the-challenges-of-detecting-p2p-botnets-on-your-network/\r\nPage 4 of 6\n\nThere are ARM and MIPS variants of the Mozi malware. Like most botnets targeting IoT devices, Mozi uses weak\r\nTelnet credential brute-forcing as a way to propagate. Additionally, a number of exploits affecting IoT devices\r\nsuch as CCTV, DVR, NVR and routers are included as a supplemental infection method.\r\nThe HTTP requests format strings above are a subset of the exploits that Mozi samples include and use.\r\nSpecifically, these malicious requests target CCTV/DVR RCE, MVPower DVR Shell Unauthenticated Command\r\nExecution and Vacron NVR RCE.\r\nThe communication with the peer-to-peer botnet through DHT might not be trivial to investigate in a network\r\nwhere DHT is allowed. However, its attempts to guess credentials and initiate a number of connections to hosts\r\nnot previously seen in the network leave a noticeable trail.\r\nMore Free Security Community Tools from Nozomi Networks Labs\r\nWe hope you’ve found our exploration of the architectural designs typically employed by botnet operators helpful.\r\nThe important takeaway is that these operations, by their very nature, give security defenders multiple starting\r\npoints for investigating the network artifacts they leave behind.\r\nTo learn more about defending your OT network against botnets, please watch the webinar below, “P2P Botnets:\r\nFollowing the Network Trail.”\r\nTo tap into additional security community resources including threat advisories, security reports, podcasts, and\r\nother free tools developed by the Nozomi Networks Labs Security Research team, subscribe to Nozomi Networks\r\nLabs.\r\nhttps://www.nozominetworks.com/blog/overcoming-the-challenges-of-detecting-p2p-botnets-on-your-network/\r\nPage 5 of 6\n\nAlessandro Di Pinto\r\nSecurity Research Manager, Nozomi Networks. @adipinto Alessandro Di Pinto is an Offensive Security Certified\r\nProfessional (OSCP) with an extensive background in malware analysis, ICS/SCADA security, penetration testing\r\nand incident response. He holds GIAC Reverse Engineering Malware (GREM) and GIAC Cyber Threat\r\nIntelligence (GCTI) certifications. Alessandro co-authored the research paper \"TRITON: The First ICS Cyber\r\nAttack on Safety Instrument Systems\" and \"Analyzing the GreyEnergy Malware: from Maldoc to Backdoor\".\r\nSource: https://www.nozominetworks.com/blog/overcoming-the-challenges-of-detecting-p2p-botnets-on-your-network/\r\nhttps://www.nozominetworks.com/blog/overcoming-the-challenges-of-detecting-p2p-botnets-on-your-network/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.nozominetworks.com/blog/overcoming-the-challenges-of-detecting-p2p-botnets-on-your-network/"
	],
	"report_names": [
		"overcoming-the-challenges-of-detecting-p2p-botnets-on-your-network"
	],
	"threat_actors": [
		{
			"id": "4d9cdc7f-72d6-4e17-89d8-f6323bfcaebb",
			"created_at": "2023-01-06T13:46:38.82716Z",
			"updated_at": "2026-04-10T02:00:03.113893Z",
			"deleted_at": null,
			"main_name": "GreyEnergy",
			"aliases": [],
			"source_name": "MISPGALAXY:GreyEnergy",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434293,
	"ts_updated_at": 1775826765,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1112abdf53cdc1d70ace6f4e65d5ba86f7550e2e.pdf",
		"text": "https://archive.orkl.eu/1112abdf53cdc1d70ace6f4e65d5ba86f7550e2e.txt",
		"img": "https://archive.orkl.eu/1112abdf53cdc1d70ace6f4e65d5ba86f7550e2e.jpg"
	}
}