Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:14 PM
Connect Directly

Botnet Takedowns Can Incur Collateral Damage

Microsoft Zeus botnet case demonstrates risks, challenges associated with takedowns when multiple groups are tracking the same botnet

Sometimes the good guys get caught in the crossfire of the war against botnets.

But that risk comes with the botnet-fighting territory these days as security firms engage more aggressively with botnet operations, and overlapping research can be inadvertently destroyed along with part of the botnet. That was apparent last week when a Dutch security firm blasted Microsoft for damaging the firm's own investigation -- as well as investigations by other unnamed organizations -- into a Zeus botnet where Microsoft physically confiscated two command-and-control (C&C) servers. Richard Boscovich, Microsoft's senior attorney for its Digital Crimes Unit, later said in a statement that the company would be happy to discuss with Fox-IT some "misunderstandings" about the operation, but Fox-IT says it had not heard from the software giant as of late last week.

Botnet disruption and takedown operations have become standard operating procedure during the past two years, led mainly by Microsoft, which has thrown its vast legal resources behind these complicated efforts to derail cybercriminals intent on infecting as many victim machines as possible to carry out fraud. But more often than not after a botnet is disrupted, the operators come up with a new variant of the bot malware and the cycle starts again.

Takedowns invariably touch more than just the bots and C&C servers, as multiple security organizations and vendors are gathering intelligence on the vast array of botnets out there. So the fallout from the Zeus takedown came as no surprise to most botnet-watchers. Part of the problem is that, for competitive or other reasons, the security industry doesn't always share among one another enough on their research efforts, notes Gunter Ollmann, vice president of research at Damballa. "So when Microsoft, law enforcement, or anyone does something proactively against the bad guys, then more often than not it does get a few people upset. A lot of these groups are holding and not sharing their research, so it's no surprise when they are affected by someone's takedown. Fox IT is a classic example of one such case," Ollmann says.

There are plenty of invitation-only security lists where sharing does go down, he notes, but not everyone is open about every botnet or malware operation they're working on.

Christian Seifert, chief communications officer for the Honeynet Project, and Dave Dittrich, chief legal and ethics officer for the Honeynet Project, say the process and due diligence involved in a sinkhole operation depends on its ultimate goal: "Small entities may merely want to disrupt a botnet to merely study the resurgence of the botnet. If the risk/harm to other stakeholders is determined to be minimal, the benefit of gaining some insight into the resurgence of a botnet may be sufficient to justify the action. Involvement of a legal process may not be necessary," they say. "If, however, the end goal is to bring the bot-herders behind bars, there is a whole other process one would need to follow, which does include a legal process."

Fox-IT's principal security expert, Michael Sandee, who revealed last week that his firm's research had suffered the fallout of the Zeus C&C server confiscation, wasn't the only firm affected. Another security firm confirmed in an interview with Dark Reading that it experienced the same inadvertent sabotage to its research on the Zeus botnet. A researcher with that firm who requested anonymity says his company has been trying to reach Microsoft for two weeks, but has not received any response.

He says he thinks the destruction of good guy research during the operation was an accident. "I don't think [Microsoft] knew" it was hurting other sinkhole operations, he says. "I believe they just started shooting everywhere without thinking it through."

Now some of these research efforts have been exposed, experts say. According to another source with knowledge of the operation, many of the sinkholed domains didn't belong to the Zeus gang, but instead were sinkholes owned by different researchers. Not only did they lose their intelligence feed, but they were "also marked as being potentially a contact for the criminals," he says. Those sinkholed domains are easily recognized, he says.

Microsoft's Boscovich last week said in a statement that the Zeus case included evidence gathered by Microsoft as well as from third parties who gave it permission to use their intelligence. But he added that there are times that you can't always alert everyone about an imminent takedown: "There are times when, for operational security reasons, we cannot provide advance information to all researchers out there monitoring a particular threat and there are, by law, firm restrictions on investigative collaboration between private companies and law enforcement. Despite these limitations, Microsoft's commitment to trustworthy partnership with the research and enforcement community has never wavered."

[Unlike previous botnet takedowns led by Microsoft, the goal of the Zeus operation was not to permanently kill all of the Zeus botnets targeted in the operation, but instead to disrupt a segment of the operation. See Microsoft, Financial Partners Seize Servers Used In Zeus Botnets.]

The problem with sinkholes is that the vendors and researchers running them are typically trying to hide them from the bad guys so they don't get DDoSed, Damballa's Ollmann says. "By hiding, it makes it hard for anyone else to figure out if that IP address is malicious [either]," he says.

The strategy of sinkholing, or diverting bots to a honeypot server to monitor traffic to and from the botnet, is widespread among researchers. Kaspersky Lab, which has been involved in the Kelihos/Hlux botnet takedowns, first analyzes any action it takes against a botnet from both a legal and ethical perspective, says Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab. "Sinkholing is very nonintrusive, so it's not hard to move forward in that area," he says. And it doesn't always require legal action, as with the most recent effort to derail the second generation of Kelihos, variant B, according to Schouwenberg.

Legal problems arise in the cleanup phase of a botnet takedown, not in the actual disruption phase, he says. "I'm inclined to say botnet takedowns themselves aren't going to be the major legal problem in many cases. When moving from takedown to bot clean-up is where the biggest legal -- and ethical -- issues are. So this goes from issuing uninstall commands to pushing removal utilities: That's generally considered to be illegal."

Potential legal issues arise when researchers sinkhole C&C domains, or if victim machines that are sinkholed upload stolen information, notes Damballa's Ollmann. Bots often poll the C&C for additional information, and as part of that process, operating system type, IP address, and other location information are exchanged, he says. That also opens up a legal can of worms if the researcher is posing as the C&C and issuing commands to the victim's machine, he notes.

The recent DNSChanger botnet takedown took that approach, but with the backing of law enforcement, given the Department of Justice/FBI are running the sinkhole while victims are notified by their service providers.

Meanwhile, with a bot sinkhole, victim machines may upload stolen data. "So you end up with all of that information on your server," opening up new legal problems, Ollmann says. "What do you do at the end of the day with that information that was collected?"

Next Page: Aggressive anti-botnet ops to continue Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

1 of 2
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
4/18/2012 | 3:37:16 PM
re: Botnet Takedowns Can Incur Collateral Damage
I remember hearing about possible collateral damage from this I think they though probably be more sever then this.-
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...