Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:14 PM
Connect Directly

Botnet Takedowns Can Incur Collateral Damage

Microsoft Zeus botnet case demonstrates risks, challenges associated with takedowns when multiple groups are tracking the same botnet

Sometimes the good guys get caught in the crossfire of the war against botnets.

But that risk comes with the botnet-fighting territory these days as security firms engage more aggressively with botnet operations, and overlapping research can be inadvertently destroyed along with part of the botnet. That was apparent last week when a Dutch security firm blasted Microsoft for damaging the firm's own investigation -- as well as investigations by other unnamed organizations -- into a Zeus botnet where Microsoft physically confiscated two command-and-control (C&C) servers. Richard Boscovich, Microsoft's senior attorney for its Digital Crimes Unit, later said in a statement that the company would be happy to discuss with Fox-IT some "misunderstandings" about the operation, but Fox-IT says it had not heard from the software giant as of late last week.

Botnet disruption and takedown operations have become standard operating procedure during the past two years, led mainly by Microsoft, which has thrown its vast legal resources behind these complicated efforts to derail cybercriminals intent on infecting as many victim machines as possible to carry out fraud. But more often than not after a botnet is disrupted, the operators come up with a new variant of the bot malware and the cycle starts again.

Takedowns invariably touch more than just the bots and C&C servers, as multiple security organizations and vendors are gathering intelligence on the vast array of botnets out there. So the fallout from the Zeus takedown came as no surprise to most botnet-watchers. Part of the problem is that, for competitive or other reasons, the security industry doesn't always share among one another enough on their research efforts, notes Gunter Ollmann, vice president of research at Damballa. "So when Microsoft, law enforcement, or anyone does something proactively against the bad guys, then more often than not it does get a few people upset. A lot of these groups are holding and not sharing their research, so it's no surprise when they are affected by someone's takedown. Fox IT is a classic example of one such case," Ollmann says.

There are plenty of invitation-only security lists where sharing does go down, he notes, but not everyone is open about every botnet or malware operation they're working on.

Christian Seifert, chief communications officer for the Honeynet Project, and Dave Dittrich, chief legal and ethics officer for the Honeynet Project, say the process and due diligence involved in a sinkhole operation depends on its ultimate goal: "Small entities may merely want to disrupt a botnet to merely study the resurgence of the botnet. If the risk/harm to other stakeholders is determined to be minimal, the benefit of gaining some insight into the resurgence of a botnet may be sufficient to justify the action. Involvement of a legal process may not be necessary," they say. "If, however, the end goal is to bring the bot-herders behind bars, there is a whole other process one would need to follow, which does include a legal process."

Fox-IT's principal security expert, Michael Sandee, who revealed last week that his firm's research had suffered the fallout of the Zeus C&C server confiscation, wasn't the only firm affected. Another security firm confirmed in an interview with Dark Reading that it experienced the same inadvertent sabotage to its research on the Zeus botnet. A researcher with that firm who requested anonymity says his company has been trying to reach Microsoft for two weeks, but has not received any response.

He says he thinks the destruction of good guy research during the operation was an accident. "I don't think [Microsoft] knew" it was hurting other sinkhole operations, he says. "I believe they just started shooting everywhere without thinking it through."

Now some of these research efforts have been exposed, experts say. According to another source with knowledge of the operation, many of the sinkholed domains didn't belong to the Zeus gang, but instead were sinkholes owned by different researchers. Not only did they lose their intelligence feed, but they were "also marked as being potentially a contact for the criminals," he says. Those sinkholed domains are easily recognized, he says.

Microsoft's Boscovich last week said in a statement that the Zeus case included evidence gathered by Microsoft as well as from third parties who gave it permission to use their intelligence. But he added that there are times that you can't always alert everyone about an imminent takedown: "There are times when, for operational security reasons, we cannot provide advance information to all researchers out there monitoring a particular threat and there are, by law, firm restrictions on investigative collaboration between private companies and law enforcement. Despite these limitations, Microsoft's commitment to trustworthy partnership with the research and enforcement community has never wavered."

[Unlike previous botnet takedowns led by Microsoft, the goal of the Zeus operation was not to permanently kill all of the Zeus botnets targeted in the operation, but instead to disrupt a segment of the operation. See Microsoft, Financial Partners Seize Servers Used In Zeus Botnets.]

The problem with sinkholes is that the vendors and researchers running them are typically trying to hide them from the bad guys so they don't get DDoSed, Damballa's Ollmann says. "By hiding, it makes it hard for anyone else to figure out if that IP address is malicious [either]," he says.

The strategy of sinkholing, or diverting bots to a honeypot server to monitor traffic to and from the botnet, is widespread among researchers. Kaspersky Lab, which has been involved in the Kelihos/Hlux botnet takedowns, first analyzes any action it takes against a botnet from both a legal and ethical perspective, says Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab. "Sinkholing is very nonintrusive, so it's not hard to move forward in that area," he says. And it doesn't always require legal action, as with the most recent effort to derail the second generation of Kelihos, variant B, according to Schouwenberg.

Legal problems arise in the cleanup phase of a botnet takedown, not in the actual disruption phase, he says. "I'm inclined to say botnet takedowns themselves aren't going to be the major legal problem in many cases. When moving from takedown to bot clean-up is where the biggest legal -- and ethical -- issues are. So this goes from issuing uninstall commands to pushing removal utilities: That's generally considered to be illegal."

Potential legal issues arise when researchers sinkhole C&C domains, or if victim machines that are sinkholed upload stolen information, notes Damballa's Ollmann. Bots often poll the C&C for additional information, and as part of that process, operating system type, IP address, and other location information are exchanged, he says. That also opens up a legal can of worms if the researcher is posing as the C&C and issuing commands to the victim's machine, he notes.

The recent DNSChanger botnet takedown took that approach, but with the backing of law enforcement, given the Department of Justice/FBI are running the sinkhole while victims are notified by their service providers.

Meanwhile, with a bot sinkhole, victim machines may upload stolen data. "So you end up with all of that information on your server," opening up new legal problems, Ollmann says. "What do you do at the end of the day with that information that was collected?"

Next Page: Aggressive anti-botnet ops to continue Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/18/2012 | 3:37:16 PM
re: Botnet Takedowns Can Incur Collateral Damage
I remember hearing about possible collateral damage from this I think they though probably be more sever then this.-
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.
PUBLISHED: 2021-04-16
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this ...
PUBLISHED: 2021-04-16
jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDec...