Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:14 PM
Connect Directly

Botnet Takedowns Can Incur Collateral Damage

Microsoft Zeus botnet case demonstrates risks, challenges associated with takedowns when multiple groups are tracking the same botnet

Sometimes the good guys get caught in the crossfire of the war against botnets.

But that risk comes with the botnet-fighting territory these days as security firms engage more aggressively with botnet operations, and overlapping research can be inadvertently destroyed along with part of the botnet. That was apparent last week when a Dutch security firm blasted Microsoft for damaging the firm's own investigation -- as well as investigations by other unnamed organizations -- into a Zeus botnet where Microsoft physically confiscated two command-and-control (C&C) servers. Richard Boscovich, Microsoft's senior attorney for its Digital Crimes Unit, later said in a statement that the company would be happy to discuss with Fox-IT some "misunderstandings" about the operation, but Fox-IT says it had not heard from the software giant as of late last week.

Botnet disruption and takedown operations have become standard operating procedure during the past two years, led mainly by Microsoft, which has thrown its vast legal resources behind these complicated efforts to derail cybercriminals intent on infecting as many victim machines as possible to carry out fraud. But more often than not after a botnet is disrupted, the operators come up with a new variant of the bot malware and the cycle starts again.

Takedowns invariably touch more than just the bots and C&C servers, as multiple security organizations and vendors are gathering intelligence on the vast array of botnets out there. So the fallout from the Zeus takedown came as no surprise to most botnet-watchers. Part of the problem is that, for competitive or other reasons, the security industry doesn't always share among one another enough on their research efforts, notes Gunter Ollmann, vice president of research at Damballa. "So when Microsoft, law enforcement, or anyone does something proactively against the bad guys, then more often than not it does get a few people upset. A lot of these groups are holding and not sharing their research, so it's no surprise when they are affected by someone's takedown. Fox IT is a classic example of one such case," Ollmann says.

There are plenty of invitation-only security lists where sharing does go down, he notes, but not everyone is open about every botnet or malware operation they're working on.

Christian Seifert, chief communications officer for the Honeynet Project, and Dave Dittrich, chief legal and ethics officer for the Honeynet Project, say the process and due diligence involved in a sinkhole operation depends on its ultimate goal: "Small entities may merely want to disrupt a botnet to merely study the resurgence of the botnet. If the risk/harm to other stakeholders is determined to be minimal, the benefit of gaining some insight into the resurgence of a botnet may be sufficient to justify the action. Involvement of a legal process may not be necessary," they say. "If, however, the end goal is to bring the bot-herders behind bars, there is a whole other process one would need to follow, which does include a legal process."

Fox-IT's principal security expert, Michael Sandee, who revealed last week that his firm's research had suffered the fallout of the Zeus C&C server confiscation, wasn't the only firm affected. Another security firm confirmed in an interview with Dark Reading that it experienced the same inadvertent sabotage to its research on the Zeus botnet. A researcher with that firm who requested anonymity says his company has been trying to reach Microsoft for two weeks, but has not received any response.

He says he thinks the destruction of good guy research during the operation was an accident. "I don't think [Microsoft] knew" it was hurting other sinkhole operations, he says. "I believe they just started shooting everywhere without thinking it through."

Now some of these research efforts have been exposed, experts say. According to another source with knowledge of the operation, many of the sinkholed domains didn't belong to the Zeus gang, but instead were sinkholes owned by different researchers. Not only did they lose their intelligence feed, but they were "also marked as being potentially a contact for the criminals," he says. Those sinkholed domains are easily recognized, he says.

Microsoft's Boscovich last week said in a statement that the Zeus case included evidence gathered by Microsoft as well as from third parties who gave it permission to use their intelligence. But he added that there are times that you can't always alert everyone about an imminent takedown: "There are times when, for operational security reasons, we cannot provide advance information to all researchers out there monitoring a particular threat and there are, by law, firm restrictions on investigative collaboration between private companies and law enforcement. Despite these limitations, Microsoft's commitment to trustworthy partnership with the research and enforcement community has never wavered."

[Unlike previous botnet takedowns led by Microsoft, the goal of the Zeus operation was not to permanently kill all of the Zeus botnets targeted in the operation, but instead to disrupt a segment of the operation. See Microsoft, Financial Partners Seize Servers Used In Zeus Botnets.]

The problem with sinkholes is that the vendors and researchers running them are typically trying to hide them from the bad guys so they don't get DDoSed, Damballa's Ollmann says. "By hiding, it makes it hard for anyone else to figure out if that IP address is malicious [either]," he says.

The strategy of sinkholing, or diverting bots to a honeypot server to monitor traffic to and from the botnet, is widespread among researchers. Kaspersky Lab, which has been involved in the Kelihos/Hlux botnet takedowns, first analyzes any action it takes against a botnet from both a legal and ethical perspective, says Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab. "Sinkholing is very nonintrusive, so it's not hard to move forward in that area," he says. And it doesn't always require legal action, as with the most recent effort to derail the second generation of Kelihos, variant B, according to Schouwenberg.

Legal problems arise in the cleanup phase of a botnet takedown, not in the actual disruption phase, he says. "I'm inclined to say botnet takedowns themselves aren't going to be the major legal problem in many cases. When moving from takedown to bot clean-up is where the biggest legal -- and ethical -- issues are. So this goes from issuing uninstall commands to pushing removal utilities: That's generally considered to be illegal."

Potential legal issues arise when researchers sinkhole C&C domains, or if victim machines that are sinkholed upload stolen information, notes Damballa's Ollmann. Bots often poll the C&C for additional information, and as part of that process, operating system type, IP address, and other location information are exchanged, he says. That also opens up a legal can of worms if the researcher is posing as the C&C and issuing commands to the victim's machine, he notes.

The recent DNSChanger botnet takedown took that approach, but with the backing of law enforcement, given the Department of Justice/FBI are running the sinkhole while victims are notified by their service providers.

Meanwhile, with a bot sinkhole, victim machines may upload stolen data. "So you end up with all of that information on your server," opening up new legal problems, Ollmann says. "What do you do at the end of the day with that information that was collected?"

Next Page: Aggressive anti-botnet ops to continue Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
4/18/2012 | 3:37:16 PM
re: Botnet Takedowns Can Incur Collateral Damage
I remember hearing about possible collateral damage from this I think they though probably be more sever then this.-
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.