Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:10 PM
Connect Directly

Bots Hard To Kill -- Even When Botnets Get Decapitated

Despite the wave of major takedowns this past year, botnets are still thriving with a seemingly endless supply of bots available to feed the beast

When the Waledac botnet was dismantled by a security community-wide effort earlier this year, spam traffic immediately and discernibly dropped in a big way. But the researchers who worked in the trenches to shut down the botnet acknowledge that these takedowns are more of a temporary, short-term solution to a much bigger problem: the difficulty of completely eradicating these networks for cybercrime with such a bounty of available bots and bot candidates.

Many bots never really get completely cleaned up, even after their botnet masters are shut off from communicating with them. Their users either don't wipe out the bot software, or the machines also harbor other bot infections and ultimately get recruited for other botnets. Or in many cases, the machines are already poorly maintained -- unpatched and improperly secured -- so they just get reinfected by another botnet. And the cycle continues.

Most cyberattacks today come via a botnet of some sort, with a command and control (C&C) mechanism that allows an attacker to get inside an organization or victim's machine from afar and as anonymously as possible. Paul Moriarty, CEO of anti-botnet startup Umbra Data, says somewhere around 90 percent of cybercrime uses a botnet as a vehicle for attack.

Microsoft cleaned up twice as many bot-infected Windows machines in the first half of this year than the corresponding period in 2009. It removed 6.5 million bots From Windows machines in the second quarter of this year alone, according to the newly released Microsoft Security Intelligence Report volume 9 (SIRv9).

"Botnet takedowns have some advantages. The attacker cannot send [instructions] to the machines anymore, or install new software, or have them send spam," says Thorsten Holz, senior threat analyst at LastLine and assistant professor of computer science at Ruhr-University Bochum, in Germany, who with a team of researchers helped shut down Waledac's C&C infrastructure. "But the [bot] machines can still stay infected, with bots still running on the machine."

And it's up to the ISP or enterprise to alert its users they are infected: In the case of ISPs, they can let the user know, but they force them to clean up. "Whenever one botnet is taken down, there are lots of others still out there," Holz says.

Holz and his team of researchers were also involved in the recent takedown of the Pushdo botnet, although that disruption was more of a by-product of some related botnet research the team was conducting. They to they needed C&C servers to evaluate an algorithm they were developing for their botnet project, which ultimately led them to decide to take down some Pushdo C&C servers to assist their research.

Jeff Jones, director of Trustworthy Computing at Microsoft, says botnet takedowns do help overall, but given the high number of bot infections still out there, there's more work to do to clean things up. Microsoft cleaned up nearly 30,000 Waledac bots in the second quarter of the year, a major drop from the 83,580 Waledac bots it cleaned in the first quarter.

Umbra Data's Moriarty says botnet takedowns are a losing battle. "I have a lot of respect for the folks out there who do this and track the cybercriminals. But I think they are casting sand against the tide," he says. "It's so easy to go out and buy Zeus and build your own botnet. Historically when there's a takedown, we've seen a corresponding big dip in malicious activity. But the levels go back up in a month or a month and a half."

But some ISPs are taking a more proactive role in bot cleanup, and efforts, such as Shadowserver's "sinkhole" server to help detect and get help for errant bots. Comcast, for example, has launched a botnet notification feature using Damballa's botnet detection technology that alerts users who are bot-infected and provides them with online remediation help. And most of the major ISPs in Germany have banded together to help alert their bot-infected users and help them clean up their machines.

Trouble is, ISPs can't force users to pay attention to the alerts, or to actually do the cleanup. But while they can't dictate what bots ultimately do, these efforts are a good start, experts say.

"ISPs can't manage the computer, or force users to learn [about threats] or update ... And who's going to maintain them once they are cleaned up?" says Steven Adair, a security expert with Shadowserver. "And people don't want their ISP to start blocking any content they think is malicious."

Shadowserver's sinkhole poses as defunct botnet domain servers to sniff out orphaned bots. It gets millions of hits for Conficker each day, Adair says. "We report back to the people who subscribe to our list about the infected machines that go into our sinkhole," he says. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
'Unkillable' Android Malware App Continues to Infect Devices Worldwide
Jai Vijayan, Contributing Writer,  4/8/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Digitized COVID-19 Prevention
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-09
In Argo versions prior to v1.5.0-rc1, it was possible for authenticated Argo users to submit API calls to retrieve secrets and other manifests which were stored within git.
PUBLISHED: 2020-04-09
A large heap overflow could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions. This affects versions prior to
PUBLISHED: 2020-04-09
auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the er...
PUBLISHED: 2020-04-09
Some Dahua products have buffer overflow vulnerabilities. After the successful login of the legal account, the attacker sends a specific DDNS test command, which may cause the device to go down.
PUBLISHED: 2020-04-09
Some products of Dahua have Denial of Service vulnerabilities. After the successful login of the legal account, the attacker sends a specific log query command, which may cause the device to go down.