Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/15/2010
04:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Bots Hard To Kill -- Even When Botnets Get Decapitated

Despite the wave of major takedowns this past year, botnets are still thriving with a seemingly endless supply of bots available to feed the beast

When the Waledac botnet was dismantled by a security community-wide effort earlier this year, spam traffic immediately and discernibly dropped in a big way. But the researchers who worked in the trenches to shut down the botnet acknowledge that these takedowns are more of a temporary, short-term solution to a much bigger problem: the difficulty of completely eradicating these networks for cybercrime with such a bounty of available bots and bot candidates.

Many bots never really get completely cleaned up, even after their botnet masters are shut off from communicating with them. Their users either don't wipe out the bot software, or the machines also harbor other bot infections and ultimately get recruited for other botnets. Or in many cases, the machines are already poorly maintained -- unpatched and improperly secured -- so they just get reinfected by another botnet. And the cycle continues.

Most cyberattacks today come via a botnet of some sort, with a command and control (C&C) mechanism that allows an attacker to get inside an organization or victim's machine from afar and as anonymously as possible. Paul Moriarty, CEO of anti-botnet startup Umbra Data, says somewhere around 90 percent of cybercrime uses a botnet as a vehicle for attack.

Microsoft cleaned up twice as many bot-infected Windows machines in the first half of this year than the corresponding period in 2009. It removed 6.5 million bots From Windows machines in the second quarter of this year alone, according to the newly released Microsoft Security Intelligence Report volume 9 (SIRv9).

"Botnet takedowns have some advantages. The attacker cannot send [instructions] to the machines anymore, or install new software, or have them send spam," says Thorsten Holz, senior threat analyst at LastLine and assistant professor of computer science at Ruhr-University Bochum, in Germany, who with a team of researchers helped shut down Waledac's C&C infrastructure. "But the [bot] machines can still stay infected, with bots still running on the machine."

And it's up to the ISP or enterprise to alert its users they are infected: In the case of ISPs, they can let the user know, but they force them to clean up. "Whenever one botnet is taken down, there are lots of others still out there," Holz says.

Holz and his team of researchers were also involved in the recent takedown of the Pushdo botnet, although that disruption was more of a by-product of some related botnet research the team was conducting. They to they needed C&C servers to evaluate an algorithm they were developing for their botnet project, which ultimately led them to decide to take down some Pushdo C&C servers to assist their research.

Jeff Jones, director of Trustworthy Computing at Microsoft, says botnet takedowns do help overall, but given the high number of bot infections still out there, there's more work to do to clean things up. Microsoft cleaned up nearly 30,000 Waledac bots in the second quarter of the year, a major drop from the 83,580 Waledac bots it cleaned in the first quarter.

Umbra Data's Moriarty says botnet takedowns are a losing battle. "I have a lot of respect for the folks out there who do this and track the cybercriminals. But I think they are casting sand against the tide," he says. "It's so easy to go out and buy Zeus and build your own botnet. Historically when there's a takedown, we've seen a corresponding big dip in malicious activity. But the levels go back up in a month or a month and a half."

But some ISPs are taking a more proactive role in bot cleanup, and efforts, such as Shadowserver's "sinkhole" server to help detect and get help for errant bots. Comcast, for example, has launched a botnet notification feature using Damballa's botnet detection technology that alerts users who are bot-infected and provides them with online remediation help. And most of the major ISPs in Germany have banded together to help alert their bot-infected users and help them clean up their machines.

Trouble is, ISPs can't force users to pay attention to the alerts, or to actually do the cleanup. But while they can't dictate what bots ultimately do, these efforts are a good start, experts say.

"ISPs can't manage the computer, or force users to learn [about threats] or update ... And who's going to maintain them once they are cleaned up?" says Steven Adair, a security expert with Shadowserver. "And people don't want their ISP to start blocking any content they think is malicious."

Shadowserver's sinkhole poses as defunct botnet domain servers to sniff out orphaned bots. It gets millions of hits for Conficker each day, Adair says. "We report back to the people who subscribe to our list about the infected machines that go into our sinkhole," he says. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/10/2020
Zscaler to Buy Cloudneeti
Dark Reading Staff 4/9/2020
Researcher Hijacks iOS, macOS Camera with Three Safari Zero-Days
Kelly Sheridan, Staff Editor, Dark Reading,  4/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Yes, I do have virus protection on my system, now what?
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11669
PUBLISHED: 2020-04-10
An issue was discovered in the Linux kernel before 5.2 on the powerpc platform. arch/powerpc/kernel/idle_book3s.S does not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR, aka CID-53a712bae5dd.
CVE-2020-1801
PUBLISHED: 2020-04-10
There is an improper authentication vulnerability in several smartphones. Certain function interface in the system does not sufficiently validate the caller's identity in certain share scenario, successful exploit could cause information disclosure. Affected product versions include:Mate 30 Pro vers...
CVE-2020-3952
PUBLISHED: 2020-04-10
Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.
CVE-2020-4362
PUBLISHED: 2020-04-10
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. IBM X-Force ID: 178929.
CVE-2020-1802
PUBLISHED: 2020-04-10
There is an insufficient integrity validation vulnerability in several products. The device does not sufficiently validate the integrity of certain file in certain loading processes, successful exploit could allow the attacker to load a crafted file to the device through USB.Affected product version...