Security Experts:

Combating Botnets - Think Globally and Act Locally

Botnet takedowns are good for the industry, but our local controls are really the only security measures that we can rely on to protect our users, networks and data.

The fight against malware has never been easy, but botnets have forced the security industry as well as individual security teams to re-evaluate how they confront modern threats. Botnets are, by their nature, both very powerful and resilient. They can leverage massive numbers of infected machines (bots) and coordinate them toward a common goal. For example, an attacker running a DoS attack against your network is one thing to combat, but millions of infecting hosts all DoSing your network from all over the world is another thing entirely. Further, the distributed nature of botnets also makes them incredibly resilient threats that can easily survive the loss of many components.

Monitor Network Connections to Protect DataAll of this has led to an interesting challenge to the security industry. In some ways botnets are a very local network security problem, meaning that your users are compromised, potentially having your enterprise information stolen, potentially using your network resources to launch other attacks. That same botnet is simultaneously a global law enforcement and security challenge, likely spanning multiple countries and agencies. This duality has triggered two similarly different responses to botnets.

Industry titans such as Kaspersky and Microsoft have repeatedly shown success in stopping botnets by taking control of the servers that drive the botnet. And, taking another route, security teams have focused on preventing and rooting out the actual bots that infect their users and networks. Both of these strategies are critical and will continue to rely on the other.

The Case for Botnet Takedowns

Botnet takedowns are often big news (at least in security circles), requiring a great deal of coordination between security researchers, law enforcement, and not to mention ISPs and carriers. The whole idea of these takedowns is to separate the botnet from its brain, i.e. its command and control servers. This so-called “decapitation” approach has actually proven to be very successful, particularly in dealing with the most egregious spamming botnets. Srizbi and Rustock were both massive spamming botnets that were taken down and as soon as they were taken down, the worldwide amount of spam dropped by as much as 70%. Those numbers have been well reported, but it’s truly a staggering amount of traffic. That is good and important work no matter how you slice it.

However, as one should expect, this approach is not a silver bullet. First, takedowns are typically long and complicated efforts, which means they take time. Years in some cases. It also means that you tend to focus on the biggest botnets, which may not be the same as the botnet that poses the biggest risk to your network. For instance, lowering the amount of spam on the Internet is good news, but you are probably more concerned about identifying and stopping the botnet that is harvesting your employees’ email logins.

Lastly, the more insidious problem is that more often than not, a decapitated botnet will come back.

Resurrection, Restarts and Resistance

Some of the world’s most famous botnet takedowns also serve as the best examples of why a botnet decapitation is not the final word. Pushdo, Srizbi and countless others have been able to survive and recover from decapitation attempts. This is primarily because most decapitations do not directly address the vast numbers of bot-infected machines out in the world. As a result, a decapitated botnet is still a massive botnet that is just looking for a master.

Botmasters have repeatedly shown the ability to bring a botnet back to life simply by recovering access to their previously disconnected bots. In fact, this ability to resist and recover from a takedown has become a fundamental component of many modern botnets. The TDL-4 and Zeus botnets, for instance, have the ability to survive the loss of all of its command and control servers, by using messages stored in peer-to-peer networks to control the botnet.

Of course, even in the case of a successful takedown, the botnet can often be rebuilt again. Waledac, a previously decapitated botnet has recently been seen popping up again in a new form. This new version added on to its previous spamming functionality the ability to also steal an infected user’s email and FTP passwords, as well as passwords stored in popular browsers.

The simple truth is that a successful botnet represents a very profitable venture for a criminal organization. Even if the takedown is successful, the gang can make a few tweaks and simply start again.

Act Locally

While botnet takedowns are obviously good for the industry, our local controls are really the only security measures that we can rely on to protect our users, networks and data. As a case in point, the new variant of the Waledac botnet was first observed in enterprise networks even though the sample in question had no coverage from antivirus vendors. The malware was detected by the enterprise firewall, which had the ability to perform a sandbox analysis of incoming files that were unknown or suspicious. This analysis essentially executes the unknown file in a virtual environment and can determine if the file is malicious by watching its actual behaviors instead of relying on a traditional antivirus signature.

However local controls go beyond simply blocking the infecting files associated with malware. We can pursue the same principle of the decapitation strategy, but in a slightly different way. Since bots need to communicate with a remote server in order to function, we have the ability to incapacitate a botnet on our network by finding and blocking the outbound communications between infected machines and the remote management server. This is a critical step because it allows us to quarantine a botnet and mitigate the damage it might do in the time between when it is first detected and when the infected systems can be properly cleaned.

By analyzing malware in a sandbox environment, we can gain invaluable insight into exactly how a bot communicates, including any attempts at evasion and circumvention. While this approach certainly won’t do anything to disrupt the global impacts of a botnet, it can actually do quite a bit to keep that botnet from reaching into our networks.

Wade Williamson is a Senior Threat Researcher at Shape Security. He has extensive industry experience in intrusion prevention, malware analysis, and secure mobility. He has extensive speaking experience having delivered the keynote for the EICAR malware conference and led the Malware Researcher Peer Discussion at RSA. Prior to joining Shape, he was Sr. Security Analyst at Palo Alto Networks where he led the monthly Threat Review Series and authored the Modern Malware Review. He has also led the product management team at AirMagnet where he helped to develop a variety of security and network analysis tools targeted to WiFi networks. He has been a steady and active researcher of new threats and techniques used to compromise enterprise networks and end-users.