This week saw one of the most significant successes ever in the fight against cyber crime when the DNS Changer botnet was dismantled and seven people were charged.
It followed a slew of botnet takedowns achieved in the past two years alone. It’s a good time to be a crime fighter on the internet.
Yet during the eight years between the birth of malicious networks at the turn of the millennium and the decapitation of major botnet-hoster McColo in 2008, the security industry and law enforcement were in the doldrums.
Unable to cooperate efficiently or find a way to counter cyber criminals and their megalithic botnets, they were looking as hopeless as Eeyore on a hangover.
It took far longer for the industry and police forces to find some answers than it did for hackers to up their skills and exponentially increase the sophistication and size of their networks. But answers did nevertheless arrive and since 2008 we’ve seen just how dramatically the pendulum has swung in the favour of the ‘good guys.’
When McColo was shut down, taking with it a tonne of malware and botnet activity, the impact was immediately felt. Spam levels fell by as much as 80 per cent.
Mariposa, which had infected 13 million PCs, and Mega-D were the first major botnets to fall after the McColo operation. Then came Waledac and Bredolab in 2010 bringing down two massively powerful botnets surreptitiously controlling tens of millions of machines.
What seemed like a freak spate of successes for the anti-botnet warriors soon became a roll. This year saw Coreflood, which had compromised millions of Windows machines, taken out by the FBI. The crowning moment came in March, with the head of Rustock. Again, a massive drop in spam was recorded following the takedown.
The winning streak didn’t stop there either. Just last month, it emerged the Kelihos botnet was terminated, with legal action taken against 24 individuals in connection with the case. And now DNS Changer.
The tide has evidently turned. We are learning how to fight the war on botnets. More importantly, we are learning how to win key battles.
The McColo failure
Data sharing and collaboration has been at the heart of this shift. Yet prior to 2008, there was little cooperation whatsoever.
It was when McColo was shut down that the broken system really became apparent. Despite McColo’s success, it showed how poorly data was being used. Ultimately, the operation was a failure.
“When the McColo takedown happened people really understood just how much intelligence was lost in the lack of coordination,” Alex Lanstein, FireEye’s senior security researcher, told IT Pro. “Here you have the biggest malicious data centre in the history of the internet. It gets wiped out and there wasn’t a single arrest. A lot of people watching were asking how could they have blown it so badly.”
In the days before and during McColo’s demise, efforts to kill botnets were hampered by a “willy-nilly approach” where members of different bodies could be investigating the same threat without any joined up coordination, Lanstein said.
In some cases, companies were fighting the botnet war for more unscrupulous, self-serving means, only exacerbating the situation. “If you were just trying to get a little PR, you might not necessarily have spent the amount of time digging into the malware as you should have,” Lanstein continued.
“If you take down the first level of infrastructure, all the bots are going to automatically failover to another [infrastructure]. Not only are you not going to have any operational impact, you’re going to have a tonne of negative impact in that the bad guys will know someone is targeting them.”
Cyber criminals are nimble. Once they become alerted to a concerted effort to crack their operations, they will move fast to up their resiliency. Hence why in the old days, when bodies didn’t work with one another on tackling botnets, they did just half the work and unwittingly supported their common enemies.
To kill botnets, you need to go the whole way and dismantle the entire infrastructure. And to do that, you need as much information and cooperation as you can get.
Microsoft to the rescue
To bring the different sides together, the security industry needed a big player to step up the plate. Microsoft did just that. It took on the role of chief botnet slayer.
Microsoft hasn’t always been the friendliest giant – just look at its various ongoing squabbles with Google – but the Redmond firm has been the linchpin in many significant battles against botnets. It was responsible for drawing together industry players and law enforcement in smashing Waledac, Rustock and Kelihos. All have formed part of Project Microsoft Active Response for Security (MARS), which has one core aim: “To annihilate botnets and help make the internet a safer place.”
“Microsoft has really stepped up in a lot of different ways to try to bring together multiple groups that might not have known each other,” Lanstein added. “They’ve really put a lot of money in going after botnets and it has worked.”
The MARS team has worked with a host of security companies, including Kaspersky and FireEye, to share information relating to infections. In the case of Kelihos, Kaspersky loaned Microsoft its live botnet tracking system. The Russian company also led the operation to reverse-engineer the bot malware, crack the communication protocol and develop tools to take apart the botnet’s the peer-to-peer infrastructure. It was another truly communal effort.
Microsoft should be proud of its work here. No other tech vendor has initiated such a concerted campaign against botnets. That’s not to say others haven’t played a big part, however. There have been some significant successes that haven’t involved Microsoft. The software behemoth was not part of two of the most significant botnet shutdowns in history – Mariposa and DNS Changer. Both of those led to complete disarmament of the bot masters and arrests of suspects.
Microsoft has shown what is possible when everyone cooperates – others have subsequently proven that point: the simple act of sharing is key in identifying botnets and successfully destroying them.
The long arm of the law
Collaboration might be vital, but the nail in the coffin of any botnet is only hammered in if arrests and prosecutions follow. In the past year, a plethora of suspects have been apprehended, but why now? Largely because tech companies and law enforcement have worked out how to twist judges’ arms into opening up legal pathways to take botnet infrastructure down before warning its owners.
Just a few years back, efforts to end botnets were not only hampered by an industry as fractious as the Greek Government – the legal system was doing the good guys no favours either. Instead of immediately asking registrars to shut down domains or ordering datacentre owners to allow police to switch off servers helping run botnets, courts required bot-herders be sent warning first.
Now, cyber criminals aren’t so lucky. The cases of Waledac and Rustock have set legal precedents that will be of huge benefit to the good guys in the long run. In the case of the former, Microsoft convinced a judge to issue an ex parte temporary restraining order (TRO), which meant Verisign, the administrator of the .com domain registry, had to hand the 276 domains used by Waledac for its command-and-control operations over to the Redmond company. Microsoft achieved this simply by pointing to the continuing harm that would be caused by the botnet if immediate action was not taken.
With Rustock, Microsoft filed a lawsuit against the anonymous operators of the botnet, basing its argument in part on the abuse of Microsoft trademarks in the bot’s spam. These clever legal manoeuvres are necessary to open the door to complete botnet destuction.
“As a private company we can only use civil process – we do not pretend to be law enforcement. But we wanted to do something proactively to protect our customers,” said Richard Boscovich, senior attorney for the Microsoft Digital Crimes Unit.
“We looked at the body of laws that were in place in the civil world in the US and asked ‘how could we adopt these to be able to confront some of these 21st centutry problems?’ There is always a cry for new laws and new legislation, but the reality is there are a lot of good laws on the books that were passed for other purposes … that are easily translatable.”
It’s all about creative use of the current laws, rather than begging for fresh legislation, Boscovich argues. In this week’s DNS Changer takedown, courts were again convinced to let law enforcement take a botnet apart. Datacentres in Chicago and New York were raided and dirty servers replaced with clean ones all thanks to a court order. If the perpetrators had been warned in that case, it could have ruined five years’ worth of work.
Indeed, the ‘company’ responsible for running the botnet, an Estonian organisation called Rove Digital, had previously moved servers when they sensed law enforcement was closing in on some of its other suspicious operations, according to Trend Micro. Imagine if they’d been given notice again. Four million computers would still be infected and the crooks would continue making millions fraudulently.
Whilst the work of law enforcement, industry and others involved in the war on botnets is more than commendable, it would be unwise to get carried away. There remain some major obstacles to overcome. The first is how to tackle the subdomain issue.
At the current time, there is no requirement for domain hosts to know anything about those using their subdomains. In the case of Kelihos, Microsoft got a little lucky. Dominique Alexander Piatti of Czech domain hoster dotFREE Group was accused, along with a number of unidentified suspects, of owning a domain cz.cc and using it to register other subdomains which were running the Kelihos botnet.
Yet Microsoft dropped a lawsuit against Piatti late last month as it seemed dotFREE was simply being used by Kelihos’s controllers. Anyone hoping the case would inspire law makers to create fresh legislation were to be sorely disappointed. Domain hosts will still not be forced into knowing who their customers are. The crooked ones will simply turn a blind eye to pernicious activity on their servers.
“There are a lot of domains hosting hundreds of thousands of subdomains that are really hosting nasty stuff,” said Boscovich. He explained dotFREE had been highly proactive in cleaning up its game and learning about its customers. The domain industry should follow suit, he said. Either that or extra regulation is required.
“We would really like to see either the other subdomainers employ the same kind of business practices or maybe even have ICAAN require that if you’re going to provide subdomains that you’re required to get the same information registrars are asked to get,” he added.
“It is time for the community to put more rules in place internationally through ICANN, hopefully, to get more transparency as to who is really behind these domains and subdomains that are causing a lot of problems.”
Subdomainers aren’t the only ones who need to be brought into line. The young up-starts of the info-sec world need to be convinced to join the party too. The divisions between the new players and the old guard could mean certain important data isn’t being shared. If these schisms aren’t dealt with, ironically, industry in-fighting will only benefit the cyber criminals.
In essence, it’s all about greater and greater collaboration. The war against botnets will always be one of attrition. As in the real world, you can’t ever completely kill crime. Yet if you can build a sizeable enough army, and keep its various factions at peace with one another, you’ll be winning the fight even if you won’t win outright.