The war on botnets


This week saw one of the most significant successes ever in the fight against cyber crime when the DNS Changer botnet was dismantled and seven people were charged.

It followed a slew of botnet takedowns achieved in the past two years alone. It's a good time to be a crime fighter on the internet.

Yet during the eight years between the birth of malicious networks at the turn of the millennium and the decapitation of major botnet-hoster McColo in 2008, the security industry and law enforcement were in the doldrums.

Unable to cooperate efficiently or find a way to counter cyber criminals and their megalithic botnets, they were looking as hopeless as Eeyore on a hangover.

It took far longer for the industry and police forces to find some answers than it did for hackers to up their skills and exponentially increase the sophistication and size of their networks. But answers did nevertheless arrive and since 2008 we've seen just how dramatically the pendulum has swung in the favour of the 'good guys.'

Unable to cooperate efficiently or find a way to counter cyber criminals and their megalithic botnets, they were looking as hopeless as Eeyore on a hangover.

When McColo was shut down, taking with it a tonne of malware and botnet activity, the impact was immediately felt. Spam levels fell by as much as 80 per cent.

Mariposa, which had infected 13 million PCs, and Mega-D were the first major botnets to fall after the McColo operation. Then came Waledac and Bredolab in 2010 bringing down two massively powerful botnets surreptitiously controlling tens of millions of machines.

What seemed like a freak spate of successes for the anti-botnet warriors soon became a roll. This year saw Coreflood, which had compromised millions of Windows machines, taken out by the FBI. The crowning moment came in March, with the head of Rustock. Again, a massive drop in spam was recorded following the takedown.

The winning streak didn't stop there either. Just last month, it emerged the Kelihos botnet was terminated, with legal action taken against 24 individuals in connection with the case. And now DNS Changer.

The tide has evidently turned. We are learning how to fight the war on botnets. More importantly, we are learning how to win key battles.

The McColo failure

Data sharing and collaboration has been at the heart of this shift. Yet prior to 2008, there was little cooperation whatsoever.

It was when McColo was shut down that the broken system really became apparent. Despite McColo's success, it showed how poorly data was being used. Ultimately, the operation was a failure.

"When the McColo takedown happened people really understood just how much intelligence was lost in the lack of coordination," Alex Lanstein, FireEye's senior security researcher, told IT Pro. "Here you have the biggest malicious data centre in the history of the internet. It gets wiped out and there wasn't a single arrest. A lot of people watching were asking how could they have blown it so badly."

In the days before and during McColo's demise, efforts to kill botnets were hampered by a "willy-nilly approach" where members of different bodies could be investigating the same threat without any joined up coordination, Lanstein said.

In some cases, companies were fighting the botnet war for more unscrupulous, self-serving means, only exacerbating the situation. "If you were just trying to get a little PR, you might not necessarily have spent the amount of time digging into the malware as you should have," Lanstein continued.

"If you take down the first level of infrastructure, all the bots are going to automatically failover to another [infrastructure]. Not only are you not going to have any operational impact, you're going to have a tonne of negative impact in that the bad guys will know someone is targeting them."

Cyber criminals are nimble. Once they become alerted to a concerted effort to crack their operations, they will move fast to up their resiliency. Hence why in the old days, when bodies didn't work with one another on tackling botnets, they did just half the work and unwittingly supported their common enemies.

To kill botnets, you need to go the whole way and dismantle the entire infrastructure. And to do that, you need as much information and cooperation as you can get.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.