Are researchers enabling botnets by shutting them down? That's what Internet pioneer and guru Paul Vixie argues in a recent blog -- that finding and immediately quashing botnets only retrains and helps botnet operators learn how to better cover their tracks.
Vixie likens some researchers' penchant for quick fixes for killing botnets to the over-prescription of antibiotics, which has resulted in super-bugs that have "learned" to survive: " quick-fix action for convenience and/or profit by a large number of self-interested people can end up retraining, re-educating, and ultimately benefiting the attacking population more than the defending population," Vixie writes.
Botnet operators merely reinvent themselves and build better rootkits to recruit bots, and avoid conspicuous IRC channels, he says. Instead, researchers should work with law enforcement to patiently track, observe, and eventually capture the bad guys, rather than just cutting them off.
"Annoying botnet handlers educates them," he writes. "Don't do that! Let them succeed at what they try, but watch their every move. Learn to predict what they will do next. Learn how they did whatever they've done. Learn who they are. Learn where they live, and where their money comes from. Let them have a wonderful, annoyance-free life, right up to the instant that the front door of their apartment is kicked in and the handcuffs go on. Don't create more antibiotic-resistant superbugs."
Kelly Jackson Higgins, Senior Editor, Dark Reading