"P2P botnets let the controller inject commands into the network and have the bots disseminate the commands amongst each other," RandomStorm researcher Robin Wood told InfoSecurity about the growing Thor P2P botnet. "This removes the head and makes the network much harder to take down."
Researchers from Kaspersky Labs called the Alureon P2P botnet "practically indestructible" in a July 1 Ars Technica story about the botnet, which had 4.5 million members.
The primary point of failure for P2P botnets is the strength of its encryption, according to Krebs.
Researchers shut down the Kelihos botnet by cracking the encryption of its CnC messages and sending out their own messages, stealing control away from the botnet's creators and ordering the zombies to stand down, Krebs wrote.
This version was at least the second major version of the Khelihos botnet. Microsoft was able to shut down an earlier variant in September, 2011; it took only weeks for its owners to begin rebuilding the network that was the subject of this attack. In January Microsoft accused a Russian man named Andrey Sabelnikov of directing the botnet. It also denied in February that the Khelihos network had revived despite widespread evidence a subsequent version of the virus was rebuilding its army.
The second Khelihos botnet is just as hard to keep down.
Within hours of the takedown of the Khelihos.B network the virus had begun rising from the dead yet again, Krebs reported.
The Khelihos.B virus has been recompiled as Khelihos.C and is spreading via Facebook.