Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:10 PM
Connect Directly

Bots Hard To Kill -- Even When Botnets Get Decapitated

Despite the wave of major takedowns this past year, botnets are still thriving with a seemingly endless supply of bots available to feed the beast

When the Waledac botnet was dismantled by a security community-wide effort earlier this year, spam traffic immediately and discernibly dropped in a big way. But the researchers who worked in the trenches to shut down the botnet acknowledge that these takedowns are more of a temporary, short-term solution to a much bigger problem: the difficulty of completely eradicating these networks for cybercrime with such a bounty of available bots and bot candidates.

Many bots never really get completely cleaned up, even after their botnet masters are shut off from communicating with them. Their users either don't wipe out the bot software, or the machines also harbor other bot infections and ultimately get recruited for other botnets. Or in many cases, the machines are already poorly maintained -- unpatched and improperly secured -- so they just get reinfected by another botnet. And the cycle continues.

Most cyberattacks today come via a botnet of some sort, with a command and control (C&C) mechanism that allows an attacker to get inside an organization or victim's machine from afar and as anonymously as possible. Paul Moriarty, CEO of anti-botnet startup Umbra Data, says somewhere around 90 percent of cybercrime uses a botnet as a vehicle for attack.

Microsoft cleaned up twice as many bot-infected Windows machines in the first half of this year than the corresponding period in 2009. It removed 6.5 million bots From Windows machines in the second quarter of this year alone, according to the newly released Microsoft Security Intelligence Report volume 9 (SIRv9).

"Botnet takedowns have some advantages. The attacker cannot send [instructions] to the machines anymore, or install new software, or have them send spam," says Thorsten Holz, senior threat analyst at LastLine and assistant professor of computer science at Ruhr-University Bochum, in Germany, who with a team of researchers helped shut down Waledac's C&C infrastructure. "But the [bot] machines can still stay infected, with bots still running on the machine."

And it's up to the ISP or enterprise to alert its users they are infected: In the case of ISPs, they can let the user know, but they force them to clean up. "Whenever one botnet is taken down, there are lots of others still out there," Holz says.

Holz and his team of researchers were also involved in the recent takedown of the Pushdo botnet, although that disruption was more of a by-product of some related botnet research the team was conducting. They to they needed C&C servers to evaluate an algorithm they were developing for their botnet project, which ultimately led them to decide to take down some Pushdo C&C servers to assist their research.

Jeff Jones, director of Trustworthy Computing at Microsoft, says botnet takedowns do help overall, but given the high number of bot infections still out there, there's more work to do to clean things up. Microsoft cleaned up nearly 30,000 Waledac bots in the second quarter of the year, a major drop from the 83,580 Waledac bots it cleaned in the first quarter.

Umbra Data's Moriarty says botnet takedowns are a losing battle. "I have a lot of respect for the folks out there who do this and track the cybercriminals. But I think they are casting sand against the tide," he says. "It's so easy to go out and buy Zeus and build your own botnet. Historically when there's a takedown, we've seen a corresponding big dip in malicious activity. But the levels go back up in a month or a month and a half."

But some ISPs are taking a more proactive role in bot cleanup, and efforts, such as Shadowserver's "sinkhole" server to help detect and get help for errant bots. Comcast, for example, has launched a botnet notification feature using Damballa's botnet detection technology that alerts users who are bot-infected and provides them with online remediation help. And most of the major ISPs in Germany have banded together to help alert their bot-infected users and help them clean up their machines.

Trouble is, ISPs can't force users to pay attention to the alerts, or to actually do the cleanup. But while they can't dictate what bots ultimately do, these efforts are a good start, experts say.

"ISPs can't manage the computer, or force users to learn [about threats] or update ... And who's going to maintain them once they are cleaned up?" says Steven Adair, a security expert with Shadowserver. "And people don't want their ISP to start blocking any content they think is malicious."

Shadowserver's sinkhole poses as defunct botnet domain servers to sniff out orphaned bots. It gets millions of hits for Conficker each day, Adair says. "We report back to the people who subscribe to our list about the infected machines that go into our sinkhole," he says. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-22
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. ...
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue...
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the...
PUBLISHED: 2020-02-21
Certain Xerox WorkCentre printers before 073.xxx.000.02300 do not require the user to reenter or validate LDAP bind credentials when changing the LDAP connector IP address. A malicious actor who gains access to affected devices (e.g., by using default credentials) can change the LDAP connection IP a...
PUBLISHED: 2020-02-21
In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.