Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:10 PM
Connect Directly

Bots Hard To Kill -- Even When Botnets Get Decapitated

Despite the wave of major takedowns this past year, botnets are still thriving with a seemingly endless supply of bots available to feed the beast

When the Waledac botnet was dismantled by a security community-wide effort earlier this year, spam traffic immediately and discernibly dropped in a big way. But the researchers who worked in the trenches to shut down the botnet acknowledge that these takedowns are more of a temporary, short-term solution to a much bigger problem: the difficulty of completely eradicating these networks for cybercrime with such a bounty of available bots and bot candidates.

Many bots never really get completely cleaned up, even after their botnet masters are shut off from communicating with them. Their users either don't wipe out the bot software, or the machines also harbor other bot infections and ultimately get recruited for other botnets. Or in many cases, the machines are already poorly maintained -- unpatched and improperly secured -- so they just get reinfected by another botnet. And the cycle continues.

Most cyberattacks today come via a botnet of some sort, with a command and control (C&C) mechanism that allows an attacker to get inside an organization or victim's machine from afar and as anonymously as possible. Paul Moriarty, CEO of anti-botnet startup Umbra Data, says somewhere around 90 percent of cybercrime uses a botnet as a vehicle for attack.

Microsoft cleaned up twice as many bot-infected Windows machines in the first half of this year than the corresponding period in 2009. It removed 6.5 million bots From Windows machines in the second quarter of this year alone, according to the newly released Microsoft Security Intelligence Report volume 9 (SIRv9).

"Botnet takedowns have some advantages. The attacker cannot send [instructions] to the machines anymore, or install new software, or have them send spam," says Thorsten Holz, senior threat analyst at LastLine and assistant professor of computer science at Ruhr-University Bochum, in Germany, who with a team of researchers helped shut down Waledac's C&C infrastructure. "But the [bot] machines can still stay infected, with bots still running on the machine."

And it's up to the ISP or enterprise to alert its users they are infected: In the case of ISPs, they can let the user know, but they force them to clean up. "Whenever one botnet is taken down, there are lots of others still out there," Holz says.

Holz and his team of researchers were also involved in the recent takedown of the Pushdo botnet, although that disruption was more of a by-product of some related botnet research the team was conducting. They to they needed C&C servers to evaluate an algorithm they were developing for their botnet project, which ultimately led them to decide to take down some Pushdo C&C servers to assist their research.

Jeff Jones, director of Trustworthy Computing at Microsoft, says botnet takedowns do help overall, but given the high number of bot infections still out there, there's more work to do to clean things up. Microsoft cleaned up nearly 30,000 Waledac bots in the second quarter of the year, a major drop from the 83,580 Waledac bots it cleaned in the first quarter.

Umbra Data's Moriarty says botnet takedowns are a losing battle. "I have a lot of respect for the folks out there who do this and track the cybercriminals. But I think they are casting sand against the tide," he says. "It's so easy to go out and buy Zeus and build your own botnet. Historically when there's a takedown, we've seen a corresponding big dip in malicious activity. But the levels go back up in a month or a month and a half."

But some ISPs are taking a more proactive role in bot cleanup, and efforts, such as Shadowserver's "sinkhole" server to help detect and get help for errant bots. Comcast, for example, has launched a botnet notification feature using Damballa's botnet detection technology that alerts users who are bot-infected and provides them with online remediation help. And most of the major ISPs in Germany have banded together to help alert their bot-infected users and help them clean up their machines.

Trouble is, ISPs can't force users to pay attention to the alerts, or to actually do the cleanup. But while they can't dictate what bots ultimately do, these efforts are a good start, experts say.

"ISPs can't manage the computer, or force users to learn [about threats] or update ... And who's going to maintain them once they are cleaned up?" says Steven Adair, a security expert with Shadowserver. "And people don't want their ISP to start blocking any content they think is malicious."

Shadowserver's sinkhole poses as defunct botnet domain servers to sniff out orphaned bots. It gets millions of hits for Conficker each day, Adair says. "We report back to the people who subscribe to our list about the infected machines that go into our sinkhole," he says. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-08
A stack-based buffer overflow vulnerability in the management server component of PAN-OS allows an authenticated user to upload a corrupted PAN-OS configuration and potentially execute code with root privileges. This issue affects Palo Alto Networks PAN-OS 8.1 versions before 8.1.13; 9.0 versions be...
PUBLISHED: 2020-04-08
An insecure temporary file vulnerability in Palo Alto Networks Traps allows a local authenticated Windows user to escalate privileges or overwrite system files. This issue affects Palo Alto Networks Traps 5.0 versions before 5.0.8; 6.1 versions before 6.1.4 on Windows. This issue does not affect Cor...
PUBLISHED: 2020-04-08
A format string vulnerability in the Varrcvr daemon of PAN-OS on PA-7000 Series devices with a Log Forwarding Card (LFC) allows remote attackers to crash the daemon creating a denial of service condition or potentially execute code with root privileges. This issue affects Palo Alto Networks PAN-OS 9...
PUBLISHED: 2020-04-08
GitLab EE/CE 8.11 to 12.9 is leaking information on Issues opened in a public project and then moved to a private project through Web-UI and GraphQL API.
PUBLISHED: 2020-04-08
GitLab EE/CE 11.10 to 12.9 is leaking information on restricted CI pipelines metrics to unauthorized users.