Microsoft Zeus botnet case demonstrates risks, challenges associated with takedowns when multiple groups are tracking the same botnet

Sometimes the good guys get caught in the crossfire of the war against botnets.

But that risk comes with the botnet-fighting territory these days as security firms engage more aggressively with botnet operations, and overlapping research can be inadvertently destroyed along with part of the botnet. That was apparent last week when a Dutch security firm blasted Microsoft for damaging the firm's own investigation -- as well as investigations by other unnamed organizations -- into a Zeus botnet where Microsoft physically confiscated two command-and-control (C&C) servers. Richard Boscovich, Microsoft's senior attorney for its Digital Crimes Unit, later said in a statement that the company would be happy to discuss with Fox-IT some "misunderstandings" about the operation, but Fox-IT says it had not heard from the software giant as of late last week.

Botnet disruption and takedown operations have become standard operating procedure during the past two years, led mainly by Microsoft, which has thrown its vast legal resources behind these complicated efforts to derail cybercriminals intent on infecting as many victim machines as possible to carry out fraud. But more often than not after a botnet is disrupted, the operators come up with a new variant of the bot malware and the cycle starts again.

Takedowns invariably touch more than just the bots and C&C servers, as multiple security organizations and vendors are gathering intelligence on the vast array of botnets out there. So the fallout from the Zeus takedown came as no surprise to most botnet-watchers. Part of the problem is that, for competitive or other reasons, the security industry doesn't always share among one another enough on their research efforts, notes Gunter Ollmann, vice president of research at Damballa. "So when Microsoft, law enforcement, or anyone does something proactively against the bad guys, then more often than not it does get a few people upset. A lot of these groups are holding and not sharing their research, so it's no surprise when they are affected by someone's takedown. Fox IT is a classic example of one such case," Ollmann says.

There are plenty of invitation-only security lists where sharing does go down, he notes, but not everyone is open about every botnet or malware operation they're working on.

Christian Seifert, chief communications officer for the Honeynet Project, and Dave Dittrich, chief legal and ethics officer for the Honeynet Project, say the process and due diligence involved in a sinkhole operation depends on its ultimate goal: "Small entities may merely want to disrupt a botnet to merely study the resurgence of the botnet. If the risk/harm to other stakeholders is determined to be minimal, the benefit of gaining some insight into the resurgence of a botnet may be sufficient to justify the action. Involvement of a legal process may not be necessary," they say. "If, however, the end goal is to bring the bot-herders behind bars, there is a whole other process one would need to follow, which does include a legal process."

Fox-IT's principal security expert, Michael Sandee, who revealed last week that his firm's research had suffered the fallout of the Zeus C&C server confiscation, wasn't the only firm affected. Another security firm confirmed in an interview with Dark Reading that it experienced the same inadvertent sabotage to its research on the Zeus botnet. A researcher with that firm who requested anonymity says his company has been trying to reach Microsoft for two weeks, but has not received any response.

He says he thinks the destruction of good guy research during the operation was an accident. "I don't think [Microsoft] knew" it was hurting other sinkhole operations, he says. "I believe they just started shooting everywhere without thinking it through."

Now some of these research efforts have been exposed, experts say. According to another source with knowledge of the operation, many of the sinkholed domains didn't belong to the Zeus gang, but instead were sinkholes owned by different researchers. Not only did they lose their intelligence feed, but they were "also marked as being potentially a contact for the criminals," he says. Those sinkholed domains are easily recognized, he says.

Microsoft's Boscovich last week said in a statement that the Zeus case included evidence gathered by Microsoft as well as from third parties who gave it permission to use their intelligence. But he added that there are times that you can't always alert everyone about an imminent takedown: "There are times when, for operational security reasons, we cannot provide advance information to all researchers out there monitoring a particular threat and there are, by law, firm restrictions on investigative collaboration between private companies and law enforcement. Despite these limitations, Microsoft's commitment to trustworthy partnership with the research and enforcement community has never wavered."

[Unlike previous botnet takedowns led by Microsoft, the goal of the Zeus operation was not to permanently kill all of the Zeus botnets targeted in the operation, but instead to disrupt a segment of the operation. See Microsoft, Financial Partners Seize Servers Used In Zeus Botnets.]

The problem with sinkholes is that the vendors and researchers running them are typically trying to hide them from the bad guys so they don't get DDoSed, Damballa's Ollmann says. "By hiding, it makes it hard for anyone else to figure out if that IP address is malicious [either]," he says.

The strategy of sinkholing, or diverting bots to a honeypot server to monitor traffic to and from the botnet, is widespread among researchers. Kaspersky Lab, which has been involved in the Kelihos/Hlux botnet takedowns, first analyzes any action it takes against a botnet from both a legal and ethical perspective, says Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab. "Sinkholing is very nonintrusive, so it's not hard to move forward in that area," he says. And it doesn't always require legal action, as with the most recent effort to derail the second generation of Kelihos, variant B, according to Schouwenberg.

Legal problems arise in the cleanup phase of a botnet takedown, not in the actual disruption phase, he says. "I'm inclined to say botnet takedowns themselves aren't going to be the major legal problem in many cases. When moving from takedown to bot clean-up is where the biggest legal -- and ethical -- issues are. So this goes from issuing uninstall commands to pushing removal utilities: That's generally considered to be illegal."

Potential legal issues arise when researchers sinkhole C&C domains, or if victim machines that are sinkholed upload stolen information, notes Damballa's Ollmann. Bots often poll the C&C for additional information, and as part of that process, operating system type, IP address, and other location information are exchanged, he says. That also opens up a legal can of worms if the researcher is posing as the C&C and issuing commands to the victim's machine, he notes.

The recent DNSChanger botnet takedown took that approach, but with the backing of law enforcement, given the Department of Justice/FBI are running the sinkhole while victims are notified by their service providers.

Meanwhile, with a bot sinkhole, victim machines may upload stolen data. "So you end up with all of that information on your server," opening up new legal problems, Ollmann says. "What do you do at the end of the day with that information that was collected?"

Next Page: Aggressive anti-botnet ops to continue There's also the problem of different laws in different countries, Ollmann and other experts say. "Most botnets have victims in multiple countries. So what's legal in one country may be illegal in another," Kaspersky's Schouwenberg says.

Some security researchers prefer that sinkholing be used more for intelligence and research purposes and not for botnet takedowns. But most agree that the aggressive dismantlement method will remain the main tool for now for ultimately getting to the bad guys behind the curtain and guiding the botnet operation.

Microsoft and other security firms acknowledge that a botnet takedown may only be a temporary fix, but that the idea is to disrupt the bad guys and gather intelligence about them to get to the real actors behind the botnet. But, as always, arresting and convicting the major players behind the cybercrime is the biggest challenge.

Botnet takedowns are a bit like drug busts, Schouwenberg explains. "I think takedowns are a great way to disrupt the business. I equate them to drug busts, where a few hundred pounds of cocaine get confiscated," he says. "So, while a very powerful tool, it's not quite the same as actually putting these actors behind bars."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights