In-depth

The war on botnets

After the major DNS Changer takedown, Tom Brewster looks at how the pendulum has swung in favour of the anti-botnet warriors.

This week saw one of the most significant successes ever in the fight against cyber crime when the DNS Changer botnet was dismantled and seven people were charged.

It followed a slew of botnet takedowns achieved in the past two years alone. It's a good time to be a crime fighter on the internet.

Advertisement - Article continues below

Yet during the eight years between the birth of malicious networks at the turn of the millennium and the decapitation of major botnet-hoster McColo in 2008, the security industry and law enforcement were in the doldrums.

Unable to cooperate efficiently or find a way to counter cyber criminals and their megalithic botnets, they were looking as hopeless as Eeyore on a hangover.

It took far longer for the industry and police forces to find some answers than it did for hackers to up their skills and exponentially increase the sophistication and size of their networks. But answers did nevertheless arrive and since 2008 we've seen just how dramatically the pendulum has swung in the favour of the 'good guys.'

Unable to cooperate efficiently or find a way to counter cyber criminals and their megalithic botnets, they were looking as hopeless as Eeyore on a hangover.

When McColo was shut down, taking with it a tonne of malware and botnet activity, the impact was immediately felt. Spam levels fell by as much as 80 per cent.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Mariposa, which had infected 13 million PCs, and Mega-D were the first major botnets to fall after the McColo operation. Then came Waledac and Bredolab in 2010 bringing down two massively powerful botnets surreptitiously controlling tens of millions of machines.

What seemed like a freak spate of successes for the anti-botnet warriors soon became a roll. This year saw Coreflood, which had compromised millions of Windows machines, taken out by the FBI. The crowning moment came in March, with the head of Rustock. Again, a massive drop in spam was recorded following the takedown.

The winning streak didn't stop there either. Just last month, it emerged the Kelihos botnet was terminated, with legal action taken against 24 individuals in connection with the case. And now DNS Changer.

The tide has evidently turned. We are learning how to fight the war on botnets. More importantly, we are learning how to win key battles.

Advertisement - Article continues below

The McColo failure

Data sharing and collaboration has been at the heart of this shift. Yet prior to 2008, there was little cooperation whatsoever.

It was when McColo was shut down that the broken system really became apparent. Despite McColo's success, it showed how poorly data was being used. Ultimately, the operation was a failure.

"When the McColo takedown happened people really understood just how much intelligence was lost in the lack of coordination," Alex Lanstein, FireEye's senior security researcher, told IT Pro. "Here you have the biggest malicious data centre in the history of the internet. It gets wiped out and there wasn't a single arrest. A lot of people watching were asking how could they have blown it so badly."

In the days before and during McColo's demise, efforts to kill botnets were hampered by a "willy-nilly approach" where members of different bodies could be investigating the same threat without any joined up coordination, Lanstein said.

Advertisement - Article continues below

In some cases, companies were fighting the botnet war for more unscrupulous, self-serving means, only exacerbating the situation. "If you were just trying to get a little PR, you might not necessarily have spent the amount of time digging into the malware as you should have," Lanstein continued.

"If you take down the first level of infrastructure, all the bots are going to automatically failover to another [infrastructure]. Not only are you not going to have any operational impact, you're going to have a tonne of negative impact in that the bad guys will know someone is targeting them."

Cyber criminals are nimble. Once they become alerted to a concerted effort to crack their operations, they will move fast to up their resiliency. Hence why in the old days, when bodies didn't work with one another on tackling botnets, they did just half the work and unwittingly supported their common enemies.

To kill botnets, you need to go the whole way and dismantle the entire infrastructure. And to do that, you need as much information and cooperation as you can get.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement
Advertisement

Most Popular

Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/mobile/mobile-phones/355088/apple-lifts-iphone-purchase-restrictions
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020