Bots Hard To Kill -- Even When Botnets Get Decapitated

Despite the wave of major takedowns this past year, botnets are still thriving with a seemingly endless supply of bots available to feed the beast

When the Waledac botnet was dismantled by a security community-wide effort earlier this year, spam traffic immediately and discernibly dropped in a big way. But the researchers who worked in the trenches to shut down the botnet acknowledge that these takedowns are more of a temporary, short-term solution to a much bigger problem: the difficulty of completely eradicating these networks for cybercrime with such a bounty of available bots and bot candidates.

Many bots never really get completely cleaned up, even after their botnet masters are shut off from communicating with them. Their users either don't wipe out the bot software, or the machines also harbor other bot infections and ultimately get recruited for other botnets. Or in many cases, the machines are already poorly maintained -- unpatched and improperly secured -- so they just get reinfected by another botnet. And the cycle continues.

Most cyberattacks today come via a botnet of some sort, with a command and control (C&C) mechanism that allows an attacker to get inside an organization or victim's machine from afar and as anonymously as possible. Paul Moriarty, CEO of anti-botnet startup Umbra Data, says somewhere around 90 percent of cybercrime uses a botnet as a vehicle for attack.

Microsoft cleaned up twice as many bot-infected Windows machines in the first half of this year than the corresponding period in 2009. It removed 6.5 million bots From Windows machines in the second quarter of this year alone, according to the newly released Microsoft Security Intelligence Report volume 9 (SIRv9).

"Botnet takedowns have some advantages. The attacker cannot send [instructions] to the machines anymore, or install new software, or have them send spam," says Thorsten Holz, senior threat analyst at LastLine and assistant professor of computer science at Ruhr-University Bochum, in Germany, who with a team of researchers helped shut down Waledac's C&C infrastructure. "But the [bot] machines can still stay infected, with bots still running on the machine."

And it's up to the ISP or enterprise to alert its users they are infected: In the case of ISPs, they can let the user know, but they force them to clean up. "Whenever one botnet is taken down, there are lots of others still out there," Holz says.

Holz and his team of researchers were also involved in the recent takedown of the Pushdo botnet, although that disruption was more of a by-product of some related botnet research the team was conducting. They to they needed C&C servers to evaluate an algorithm they were developing for their botnet project, which ultimately led them to decide to take down some Pushdo C&C servers to assist their research.

Jeff Jones, director of Trustworthy Computing at Microsoft, says botnet takedowns do help overall, but given the high number of bot infections still out there, there's more work to do to clean things up. Microsoft cleaned up nearly 30,000 Waledac bots in the second quarter of the year, a major drop from the 83,580 Waledac bots it cleaned in the first quarter.

Umbra Data's Moriarty says botnet takedowns are a losing battle. "I have a lot of respect for the folks out there who do this and track the cybercriminals. But I think they are casting sand against the tide," he says. "It's so easy to go out and buy Zeus and build your own botnet. Historically when there's a takedown, we've seen a corresponding big dip in malicious activity. But the levels go back up in a month or a month and a half."

But some ISPs are taking a more proactive role in bot cleanup, and efforts, such as Shadowserver's "sinkhole" server to help detect and get help for errant bots. Comcast, for example, has launched a botnet notification feature using Damballa's botnet detection technology that alerts users who are bot-infected and provides them with online remediation help. And most of the major ISPs in Germany have banded together to help alert their bot-infected users and help them clean up their machines.

Trouble is, ISPs can't force users to pay attention to the alerts, or to actually do the cleanup. But while they can't dictate what bots ultimately do, these efforts are a good start, experts say.

"ISPs can't manage the computer, or force users to learn [about threats] or update ... And who's going to maintain them once they are cleaned up?" says Steven Adair, a security expert with Shadowserver. "And people don't want their ISP to start blocking any content they think is malicious."

Shadowserver's sinkhole poses as defunct botnet domain servers to sniff out orphaned bots. It gets millions of hits for Conficker each day, Adair says. "We report back to the people who subscribe to our list about the infected machines that go into our sinkhole," he says. But not all ISPs are willing or able to respond to reports of infected bots in their space. "Unfortunately, not all ISPs are responsible. We also learned this from Conficker: The Conficker Working Group put a lot of effort in, getting feeds to different ISPs. But still many ISPs did not respond," and there are still many machines infected with the worm, according to Holz.

The overarching issue is bigger than botnets: It's about the security of end users' computers, experts say. Graham Titterington, principal analyst with Ovum, says dormant bots can also be tough to detect. "The can be sleepy for a long time and impossible to detect until they go active," he says. "You can do traffic analysis at the ISP level," however, he says.

And ISPs are faced with service issues if they dial back an infected machine's bandwidth, or place a bot in a so-called "walled garden" until it's cleaned up. "The idea of when you detect a bot on a machine that you cut that machine off is difficult to implement in practice. The consequences are denying someone access to the Net ... or [affecting] the speed" of its connection, Titterington says.

Meanwhile, a Microsoft executive last week proposed a sort of "health check" for machines to gain Internet access -- an approach some experts are calling "NAC for the Internet." Scott Charney, vice president for Microsoft's Trustworthy Computing, called for a model where "sick," or infected PCs, get quarantined from the Internet.

"Just as when an individual who is not vaccinated puts others' health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society," he blogged. "In the physical world, international, national, and local health organizations identify, track and control the spread of disease which can include, where necessary, quarantining people to avoid the infection of others. Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk. To realize this vision, there are steps that can be taken by governments, the IT industry, Internet access providers, users, and others to evaluate the health of consumer devices before granting them unfettered access to the Internet or other critical resources."

This would have to be implemented at the local level, Microsoft's Jones says, in a socially acceptable way that protects privacy while protecting other users from getting infected by the bots.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights