Botnet Takedowns: Effective or Deceptive?

One security researcher is warning against rejoicing too heartily about botnet takedowns
One security researcher is warning against rejoicing too heartily about botnet takedowns

The failure to take down a whole botnet at once, the inability to plug alternate communication paths and the lack of arrests of the perpetrators all undermine the good work that a takedown begins, according to Brian Foster, CTO at Damballa. As a result, recent botnet takedowns have been largely ineffective, he argues.

“While we at Damballa are all for reducing the risk of infection on the web, the fact of the matter is, these takedowns don’t often achieve that goal,” he said in a blog, adding, "they certainly don’t have any lasting impact on end-user safety.”

Microsoft over the summer announced that it had worked with financial service organizations, other technology firms and the FBI to disrupt 1,400 Citadel botnets, responsible for carrying out fraud globally worth more than $500 million. The takedown – codenamed Operation b54 – involved seizing 4,000 domain names and pointing them to a server operated by Microsoft, in a technique known as sinkholing. At the time other researchers complained that the operation had collateral damage, with Microsoft taking over servers that had been sinkholed by other companies and were being used for research purposes.

It was the Redmond giant’s seventh takedown, and Microsoft estimated that it was able to cut off 88% of the infection. But that left 12% active, which, like a liver, is capable of regenerating itself.

Symantec in September said that it had executed a sinkholing operation on ZeroAccess, a bot that often delivers a click fraud trojan to victims; the trojan downloads online advertisements onto the computer and then generates artificial clicks on the ads as if they were generated by legitimate users. These false clicks count for pay-outs in pay-per-click (PPC) affiliate schemes.

The operation took down more than half a million ZeroAccess bots – only a percentage of the total number of bots controlled by the botmaster. ZeroAccess is estimated to be present in 2.2 to 1.9 million computers on any given day. The Kindsight Security Labs Malware Report for the end of last year estimated that 1 in every 125 US home networks were infected – and it continues to evolve to better hinder detection and removal.

Absent a total takeover in any botnet takedown, “the attacker still has a strong foothold and can easily recover,” Foster said. “Furthermore, the organizations stomp on sinkholes that have already been established by other security researchers.”

Another issue is the fact that takedowns often do not account for secondary communication methods, such as peer-to-peer or domain generation algorithms (DGA) that may be used by the malware.

“We looked at 43 pieces of malware and discovered that three of them had secondary callback methods,” Foster noted. “This means that for at least three of the botnets, security researchers need to take additional steps to make sure the botnet is disabled. This is very important, because as more and more botnets are taken down (albeit haphazardly), attackers will increasingly use a secondary communication method.”

This is a notably thorny issue for ZeroAccess, which uses a unique peer-to-peer (P2P) command-and-control (C&C) communications architecture that gives the botnet an especially high degree of availability and redundancy.

“Whenever a computer becomes infected with ZeroAccess, it first reaches out to a number of its peers to exchange details about other peers in its known P2P network,” Symantec explained. “This way, bots become aware of other peers and can propagate instructions and files throughout the network quickly and efficiently. In the ZeroAccess botnet, there is constant communication between peers. Each peer continuously connects with other peers to exchange peer lists and check for updated files, making it highly resistant to any take-down attempts.”

And indeed, when the firm decided in March to initiate a sinkholing project, it identified a weakness that offered a “difficult, but not impossible,” way to liberate peers from the botmaster. But that weakness has since been rectified: an updated version of ZeroAccess contains modifications that address the design flaws – and the botnet is no longer vulnerable to being sinkholed.

Foster said that the third issue with takedowns is the lack of arrests of the malware actors.

“At the end of the day, it doesn’t matter how many domains are taken down or how many sinkholes researchers create," he explained. "Unless the attacker is arrested, it doesn’t stop him/her from building a new botnet from scratch.”

Overall, he added, “there needs to be a more thoughtful approach than what has typically been used by the industry. Otherwise, the bots will once again veer their ugly heads.”

What’s Hot on Infosecurity Magazine?