Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/11/2010
03:33 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

More Researchers Going On The Offensive To Kill Botnets

Another botnet bites the dust, as more researchers looking at more aggressive ways to beat cybercriminals

Yet another botnet has been shut down as of today as researchers joined forces with ISPs to cut communications to the prolific Lethic spamming botnet -- a development that illustrates how botnet hunters increasingly are going on the offensive to stop cybercriminals, mainly by disrupting their valuable bot infrastructures.

For the most part researchers monitor and study botnets with honeypots and other more passive methods. Then security vendors come up with malware signatures to help their customers scan for these threats. But some researchers are turning up the heat on the bad guys' botnet infrastructures by taking the lead in killing some botnets: Aside from last weekend's takedown by Neustar of Lethic, which is responsible for about 10 percent of all spam, FireEye last November helped shut down the MegaD botnet. And researchers at the University of California at Santa Barbara in May revealed they had taken the offensive strategy one step further by infiltrating the Torpig botnet, a bold and controversial move that stirred debate about just how far researchers should go to disrupt a botnet.

Back in 2008 after two major ISPs halted traffic to malicious hosting provider McColo, spam worldwide dropped around 70 percent because McColo had been the main home to most botnet command and control (C&C) servers.

But deploying more offensive tactics to stop botnets and bad guys is not so straightforward: Researchers walk a fine line as to how far they can go legally and ethically, and sometimes taking down a botnet actually backfires, either with the bad guys returning the favor with a denial-of-service (DoS) attack, or learning how to better evade investigators next time. There's the danger that getting inside a botnet will just give its operators more tools and insight into how to strengthen their operations; botnet operators are notorious for reinventing themselves with stealthier botnets and new forms of malware.

Still, some researchers say playing so much defense and relying on user education today just isn't working in the fight against cybercrime.

"Preaching to people to improve their security only goes so far. It is time to take the fight to cybercriminals themselves," says Marc Maiffret, chief security architect for FireEye. Maiffret says this means getting out ahead of the botnet, like FireEye did with MegaD, or exploring ways to disrupt these operations.

But that doesn't mean manipulating or interacting with infected bot machines, he says. "You have to proceed with caution. You never want to do anything against infected computers. But if you have a way of getting those computers by way of normal propagation come back to your sinkhole, you can fairly easily disrupt" a botnet like FireEye did with MegaD, he says. FireEye was able to "blackhole" the communications to the botnet.

"FireEye chopped the head off the thing," Maiffret says. "That's one way of going after these guys."

But while taking down a botnet has obvious short-term benefits and chalks one up for the good guys, experts say it can also backfire. Gadi Evron, an independent security strategist based in Israel, says there needs to be a more offensive approach to taking down cybercriminals and botnets. "But that approach still needs to be defined [and collaborative]," Evron says. That will take a careful and cohesive strategy that likely entails legal changes and ensures any efforts don't backfire and instigate the bad guys, according to Evron.

"We need to careful that we're not starting a war on the Net that we can't win," Evron says."We have a lot to lose in this war -- [the cybercriminals] can just take down the Net. Many of these criminals are heavily invested, but have shown they are willing to play [with] a scorched-earth policy."

Steven Adair, a researcher with the Shadowserver Foundation, says other botnets are quietly being taken down around the world. "But not all get written about," Adair says. Adair says more researchers are hunting botnets today than ever before, which may account, in part, for the increase in botnet busts and debate about how to kill these malicious infrastructures.

And in some cases, he says, taking down or shutting down parts of a botnet just results in the bad guys retrenching elsewhere. "There have been a few cases where ... it has been a wasted effort," he says.

But Adair says the security community should be more proactive. "At some point you need to get involved and do a takedown with the registrars," he says.

Meanwhile, it's unclear whether the recent silencing of the Lethic botnet is a short-term victory or will have long-lasting effects on the spam operation. Neustar worked with ISPs that hosted the botnet's F servers to knock the botnet out of commission. But while the spam was nearly gone as of yesterday, some Lethic bots were still trying to communicate with a new C&C server, according to researchers at M86 Labs who study the botnet. So it was unclear whether some residual pieces of Lethic are still alive out there.

Lethic mostly focused on pharmaceutical, replica, and diploma spam campaigns. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20001
PUBLISHED: 2020-08-04
An issue was discovered in RICOH Streamline NX Client Tool and RICOH Streamline NX PC Client that allows attackers to escalate local privileges.
CVE-2020-15467
PUBLISHED: 2020-08-04
The administrative interface of Cohesive Networks vns3:vpn appliances before version 4.11.1 is vulnerable to authenticated remote code execution leading to server compromise.
CVE-2020-5615
PUBLISHED: 2020-08-04
Cross-site request forgery (CSRF) vulnerability in [Calendar01] free edition ver1.0.0 and [Calendar02] free edition ver1.0.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2020-5616
PUBLISHED: 2020-08-04
[Calendar01], [Calendar02], [PKOBO-News01], [PKOBO-vote01], [Telop01], [Gallery01], [CalendarForm01], and [Link01] [Calendar01] free edition ver1.0.0, [Calendar02] free edition ver1.0.0, [PKOBO-News01] free edition ver1.0.3 and earlier, [PKOBO-vote01] free edition ver1.0.1 and earlier, [Telop01] fre...
CVE-2020-5617
PUBLISHED: 2020-08-04
Privilege escalation vulnerability in SKYSEA Client View Ver.12.200.12n to 15.210.05f allows an attacker to obtain unauthorized privileges and modify/obtain sensitive information or perform unintended operations via unspecified vectors.