Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:14 PM
Connect Directly

Botnet Takedowns Can Incur Collateral Damage

Microsoft Zeus botnet case demonstrates risks, challenges associated with takedowns when multiple groups are tracking the same botnet

Sometimes the good guys get caught in the crossfire of the war against botnets.

But that risk comes with the botnet-fighting territory these days as security firms engage more aggressively with botnet operations, and overlapping research can be inadvertently destroyed along with part of the botnet. That was apparent last week when a Dutch security firm blasted Microsoft for damaging the firm's own investigation -- as well as investigations by other unnamed organizations -- into a Zeus botnet where Microsoft physically confiscated two command-and-control (C&C) servers. Richard Boscovich, Microsoft's senior attorney for its Digital Crimes Unit, later said in a statement that the company would be happy to discuss with Fox-IT some "misunderstandings" about the operation, but Fox-IT says it had not heard from the software giant as of late last week.

Botnet disruption and takedown operations have become standard operating procedure during the past two years, led mainly by Microsoft, which has thrown its vast legal resources behind these complicated efforts to derail cybercriminals intent on infecting as many victim machines as possible to carry out fraud. But more often than not after a botnet is disrupted, the operators come up with a new variant of the bot malware and the cycle starts again.

Takedowns invariably touch more than just the bots and C&C servers, as multiple security organizations and vendors are gathering intelligence on the vast array of botnets out there. So the fallout from the Zeus takedown came as no surprise to most botnet-watchers. Part of the problem is that, for competitive or other reasons, the security industry doesn't always share among one another enough on their research efforts, notes Gunter Ollmann, vice president of research at Damballa. "So when Microsoft, law enforcement, or anyone does something proactively against the bad guys, then more often than not it does get a few people upset. A lot of these groups are holding and not sharing their research, so it's no surprise when they are affected by someone's takedown. Fox IT is a classic example of one such case," Ollmann says.

There are plenty of invitation-only security lists where sharing does go down, he notes, but not everyone is open about every botnet or malware operation they're working on.

Christian Seifert, chief communications officer for the Honeynet Project, and Dave Dittrich, chief legal and ethics officer for the Honeynet Project, say the process and due diligence involved in a sinkhole operation depends on its ultimate goal: "Small entities may merely want to disrupt a botnet to merely study the resurgence of the botnet. If the risk/harm to other stakeholders is determined to be minimal, the benefit of gaining some insight into the resurgence of a botnet may be sufficient to justify the action. Involvement of a legal process may not be necessary," they say. "If, however, the end goal is to bring the bot-herders behind bars, there is a whole other process one would need to follow, which does include a legal process."

Fox-IT's principal security expert, Michael Sandee, who revealed last week that his firm's research had suffered the fallout of the Zeus C&C server confiscation, wasn't the only firm affected. Another security firm confirmed in an interview with Dark Reading that it experienced the same inadvertent sabotage to its research on the Zeus botnet. A researcher with that firm who requested anonymity says his company has been trying to reach Microsoft for two weeks, but has not received any response.

He says he thinks the destruction of good guy research during the operation was an accident. "I don't think [Microsoft] knew" it was hurting other sinkhole operations, he says. "I believe they just started shooting everywhere without thinking it through."

Now some of these research efforts have been exposed, experts say. According to another source with knowledge of the operation, many of the sinkholed domains didn't belong to the Zeus gang, but instead were sinkholes owned by different researchers. Not only did they lose their intelligence feed, but they were "also marked as being potentially a contact for the criminals," he says. Those sinkholed domains are easily recognized, he says.

Microsoft's Boscovich last week said in a statement that the Zeus case included evidence gathered by Microsoft as well as from third parties who gave it permission to use their intelligence. But he added that there are times that you can't always alert everyone about an imminent takedown: "There are times when, for operational security reasons, we cannot provide advance information to all researchers out there monitoring a particular threat and there are, by law, firm restrictions on investigative collaboration between private companies and law enforcement. Despite these limitations, Microsoft's commitment to trustworthy partnership with the research and enforcement community has never wavered."

[Unlike previous botnet takedowns led by Microsoft, the goal of the Zeus operation was not to permanently kill all of the Zeus botnets targeted in the operation, but instead to disrupt a segment of the operation. See Microsoft, Financial Partners Seize Servers Used In Zeus Botnets.]

The problem with sinkholes is that the vendors and researchers running them are typically trying to hide them from the bad guys so they don't get DDoSed, Damballa's Ollmann says. "By hiding, it makes it hard for anyone else to figure out if that IP address is malicious [either]," he says.

The strategy of sinkholing, or diverting bots to a honeypot server to monitor traffic to and from the botnet, is widespread among researchers. Kaspersky Lab, which has been involved in the Kelihos/Hlux botnet takedowns, first analyzes any action it takes against a botnet from both a legal and ethical perspective, says Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab. "Sinkholing is very nonintrusive, so it's not hard to move forward in that area," he says. And it doesn't always require legal action, as with the most recent effort to derail the second generation of Kelihos, variant B, according to Schouwenberg.

Legal problems arise in the cleanup phase of a botnet takedown, not in the actual disruption phase, he says. "I'm inclined to say botnet takedowns themselves aren't going to be the major legal problem in many cases. When moving from takedown to bot clean-up is where the biggest legal -- and ethical -- issues are. So this goes from issuing uninstall commands to pushing removal utilities: That's generally considered to be illegal."

Potential legal issues arise when researchers sinkhole C&C domains, or if victim machines that are sinkholed upload stolen information, notes Damballa's Ollmann. Bots often poll the C&C for additional information, and as part of that process, operating system type, IP address, and other location information are exchanged, he says. That also opens up a legal can of worms if the researcher is posing as the C&C and issuing commands to the victim's machine, he notes.

The recent DNSChanger botnet takedown took that approach, but with the backing of law enforcement, given the Department of Justice/FBI are running the sinkhole while victims are notified by their service providers.

Meanwhile, with a bot sinkhole, victim machines may upload stolen data. "So you end up with all of that information on your server," opening up new legal problems, Ollmann says. "What do you do at the end of the day with that information that was collected?"

Next Page: Aggressive anti-botnet ops to continue Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

1 of 2
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
4/18/2012 | 3:37:16 PM
re: Botnet Takedowns Can Incur Collateral Damage
I remember hearing about possible collateral damage from this I think they though probably be more sever then this.-
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Data Loss Spikes Under COVID-19 Lockdowns
Seth Rosenblatt, Contributing Writer,  5/28/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-04
GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TL...
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.