More Researchers Going On The Offensive To Kill Botnets

Another botnet bites the dust, as more researchers looking at more aggressive ways to beat cybercriminals
When UC-Santa Barbara revealed how it wrested control of the infamous Torpig/Sinowal/Anserin botnet for 10 days last year, the research set off a firestorm within the security community about whether the researchers had gone too far by taking control of the botnet's C&C server. The researchers basically turned the tables on Torpig's own domain-flux architecture, which uses a single domain name that maps to multiple IP addresses that rotate in a round-robin fashion to evade detection. They registered the domain names before the infected machines were able to be programmed to contact the C&C servers, so the researchers were able to see firsthand what kind of financial data Torpig was gathering and which machines were getting infected.

"A lot of this malware is passively sitting there and waiting for you to do certain actions, so researchers [typically] have to trigger those actions or reverse-engineer the malware," says Brett Stone-Gross, one of the UCSB researchers. "But if you're sitting in it ... you can see exactly" what's going on, like UCSB did, he says.

Stone-Goss says the researchers were concerned about the legal ramifications of getting so entrenched into the Torpig botnet. They contacted the DoD and FBI to make sure they didn't mistake them for malicious activity, he says. "They were actually excited about what we were doing," Stone-Goss adds.

UCSB did not send botnet commands to the infected bots, he says. "But we could see what information was coming [into the botnet]" -- mostly banking information, FTP credentials, and email addresses were stolen by Torpig, he says.

Stone-Goss maintains that shutting down a botnet is effective because it costs the botnet operators so much: "It makes it more expensive for them to move around and they lose data," he says.

Still, researchers agree it's getting harder and harder to get to the core of the botnet problem: the perpetrators themselves. Many of them run like a typical enterprise, with suppliers and partners. Gunter Ollmann, vice president of research for Damballa, says not only are these bad guys well-insulated from the botnet infrastructure by multiple layers, but their operations are especially complex and sophisticated. "It's getting a lot harder to get to the guys behind this," Ollmann says. "Some botnet operators sell botnet agents to other operators. It then becomes more difficult to get to who's in control."

But researchers say they'll keep trying to go after botnets and shutting them down. "We are not actively going after any others right now, but I am sure when the timing and botnet is right, we will again," FireEye's Maiffret says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.