Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Law Enforcement Asks Congress for More Power Against Botnet Operators

Senate Subcommittee on Crime and Terrorism Conducts Hearing on Botnets and Cybercrime

Senate Subcommittee on Crime and Terrorism Conducts Hearing on Botnets and Cybercrime

Cyber-attackers are increasingly using botnets to drive their criminal enterprises, whether they are sending spam, infecting computers with malware, or launching denial-of-service attacks, experts testified at a Senate committee hearing on Tuesday.

In the hearing, law enforcement officials asked Congress to consider legislation that would give them more tools to go after the botnet operators.

Executives from Microsoft, Symantec, Farsight Security, and Online Trust Alliance, joined officials from the Federal Bureau of Investigation and the Department of Justice to testify at Tuesday’s hearing on botnets held by the Senate Judiciary subcommittee on Crime and Terrorism.

Senate Hearing on Botnets

Botnets allow criminals to “command a virtual army of millions, most of whom have no idea that they have been conscripted,” said Sen. Sheldon Whitehouse (D-RI), the chairman of the panel.

“The only limit to the malicious purposes for which botnets can be used is the imagination of the criminal who controls them,” Whitehouse said, noting that botnets can also be sold or rented to other criminals, as well. Whitehouse said he was working with Sen. Lindsey Graham (R-SC), the subcommittee’s ranking member, on a bill to help crack down on botnets that he hoped to get passed later this year.

Financial Losses are High

Richard Domingues Boscovich, assistant general counsel from Microsoft Digital Crimes Unit also described previous efforts by law enforcement and private sector organizations to dismantle botnets, with the latest example being Gameover Zeus.

Advertisement. Scroll to continue reading.

Botnets have “caused enormous financial damage and innumerable invasions of Americans’ privacy,” said Boscovich.

Botnets infect nearly 500 million computers each year, or 18 systems per second, said Joseph Demarest, an assistant director at the Federal Bureau of Investigation. The infected machines have caused more than $9 billion in financial losses in the United States, and $110 billion globally, Demarest said.

Gameover Zeus was one of the most sophisticated botnets in operation, and before its takedown last month, infected nearly 1 million computers which resulted in nearly $100 million in financial losses, said Leslie Caldwell, the assistant attorney general from the Department of Justice. “All or nearly all” computers infected by the Gameover Zeus botnet, have been disinfected, according to the Justice Department. The takedown was a coordinated operation between U.S. law enforcement, public and private sector organizations, and international partners.

Congress Can Give More Bite

The existing fraud and wiretapping laws are sufficient for going after many kinds of botnet operations, Demarest said. Even ransomware is covered as extortion under the law. But there are others that are currently don’t have any legal actions associated with them. For example, in case of a denial of service attack, “we can’t get an injunction against that,” Demarest said.

There is no need to change the statutes, as the maximum sentences under most of the statues are adequate, Caldwell said. “I don’t think we need any kind of mandatory minimums because we have been seeing judges imposing sentences around the seven-eight-nine-year range,” Caldwell said.

Takedowns Are Important

Recent law enforcement victories are making it clear to criminals that they can get caught, Demarest said. The deterrence factor in years past may not have been much, but it’s much more significant now. “We’re causing impact and see them talking amongst each other,” Demarest said. “We’re actually placing a price to pay for actually engaging in this activity now.”

Boscovich did not mention—nor did the Senators ask—about the most recent Microsoft action against Bladabindi-Jenxcus botnet, which also impacted dynamic DNS provider Vitalwerks Internet Solutions, the operator of the No-ip.com domain.

During the discussion about potential things Congress can do to make it easier for law enforcement to pursue botnet operators, there was no mention of how to ensure innocent sub-domain owners don’t get swept up in these takedown efforts.

There was also no mention about the fact that botnet takedowns thus far have been disruptive, but not that effective in the long-run because the criminals remain free to rebuild. Whitehouse did acknowledge that a new version of Gameover Zeus was making the rounds.  In the case of Gameover Zeus, the Justice Department has charged a Russian native, Evgeniy Mikhalilovich Bogachev, as the leader of the malware gang, Bogachev remains free in Russia.

“Botnets conduct the digital equivalent of home invasion on a massive scale,” said Boscovich. “We aim for their wallets. We disrupt botnets by undermining cyber-criminals’ ability to profit from malicious attacks.”

“Our solutions have to be borderless,” Whitehouse said, noting that there is some level of international cooperation to get data about attacks as well as coordination for law enforcement actions. Demarest acknowledged there are some difficulties with some international law enforcement groups, but it’s “improving.”

Boscovich said the Conficker working group may be the best example of the kind of cooperation necessary to clean up victims and to dismantle the operation.

The government’s role in this fight is to “focus on the immediate cessation of the harm to the people on the Internet,” Cheri McGuire, the vice-president of global government affairs and cybersecurity policy at Symantec, said during the question-and-answer period. The government should “severe that communication, to stop the harm,” while the private sector companies focus on education to prevent the infections in the first place.

The takedown attempt for Gameover Zeus “should serve as a model for the future,” McGuire said.

Botnet operators will “keep on going” and come up with even newer ways of attacks if law enforcement doesn’t move aggressively to shut them down, Caldwell told Whitestone. McGuire also raised the possibility of “thingbots” as the Internet of Things get hijacked into botnets.

“If left unchecked, they will succeed,” Caldwell said.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.