Connect with us

Hi, what are you looking for?



Combating Botnets – Think Globally and Act Locally

Botnet takedowns are good for the industry, but our local controls are really the only security measures that we can rely on to protect our users, networks and data.

Botnet takedowns are good for the industry, but our local controls are really the only security measures that we can rely on to protect our users, networks and data.

The fight against malware has never been easy, but botnets have forced the security industry as well as individual security teams to re-evaluate how they confront modern threats. Botnets are, by their nature, both very powerful and resilient. They can leverage massive numbers of infected machines (bots) and coordinate them toward a common goal. For example, an attacker running a DoS attack against your network is one thing to combat, but millions of infecting hosts all DoSing your network from all over the world is another thing entirely. Further, the distributed nature of botnets also makes them incredibly resilient threats that can easily survive the loss of many components.

Monitor Network Connections to Protect DataAll of this has led to an interesting challenge to the security industry. In some ways botnets are a very local network security problem, meaning that your users are compromised, potentially having your enterprise information stolen, potentially using your network resources to launch other attacks. That same botnet is simultaneously a global law enforcement and security challenge, likely spanning multiple countries and agencies. This duality has triggered two similarly different responses to botnets.

Industry titans such as Kaspersky and Microsoft have repeatedly shown success in stopping botnets by taking control of the servers that drive the botnet. And, taking another route, security teams have focused on preventing and rooting out the actual bots that infect their users and networks. Both of these strategies are critical and will continue to rely on the other.

The Case for Botnet Takedowns

Botnet takedowns are often big news (at least in security circles), requiring a great deal of coordination between security researchers, law enforcement, and not to mention ISPs and carriers. The whole idea of these takedowns is to separate the botnet from its brain, i.e. its command and control servers. This so-called “decapitation” approach has actually proven to be very successful, particularly in dealing with the most egregious spamming botnets. Srizbi and Rustock were both massive spamming botnets that were taken down and as soon as they were taken down, the worldwide amount of spam dropped by as much as 70%. Those numbers have been well reported, but it’s truly a staggering amount of traffic. That is good and important work no matter how you slice it.

However, as one should expect, this approach is not a silver bullet. First, takedowns are typically long and complicated efforts, which means they take time. Years in some cases. It also means that you tend to focus on the biggest botnets, which may not be the same as the botnet that poses the biggest risk to your network. For instance, lowering the amount of spam on the Internet is good news, but you are probably more concerned about identifying and stopping the botnet that is harvesting your employees’ email logins.

Lastly, the more insidious problem is that more often than not, a decapitated botnet will come back.

Advertisement. Scroll to continue reading.

Resurrection, Restarts and Resistance

Some of the world’s most famous botnet takedowns also serve as the best examples of why a botnet decapitation is not the final word. Pushdo, Srizbi and countless others have been able to survive and recover from decapitation attempts. This is primarily because most decapitations do not directly address the vast numbers of bot-infected machines out in the world. As a result, a decapitated botnet is still a massive botnet that is just looking for a master.

Botmasters have repeatedly shown the ability to bring a botnet back to life simply by recovering access to their previously disconnected bots. In fact, this ability to resist and recover from a takedown has become a fundamental component of many modern botnets. The TDL-4 and Zeus botnets, for instance, have the ability to survive the loss of all of its command and control servers, by using messages stored in peer-to-peer networks to control the botnet.

Of course, even in the case of a successful takedown, the botnet can often be rebuilt again. Waledac, a previously decapitated botnet has recently been seen popping up again in a new form. This new version added on to its previous spamming functionality the ability to also steal an infected user’s email and FTP passwords, as well as passwords stored in popular browsers.

The simple truth is that a successful botnet represents a very profitable venture for a criminal organization. Even if the takedown is successful, the gang can make a few tweaks and simply start again.

Act Locally

While botnet takedowns are obviously good for the industry, our local controls are really the only security measures that we can rely on to protect our users, networks and data. As a case in point, the new variant of the Waledac botnet was first observed in enterprise networks even though the sample in question had no coverage from antivirus vendors. The malware was detected by the enterprise firewall, which had the ability to perform a sandbox analysis of incoming files that were unknown or suspicious. This analysis essentially executes the unknown file in a virtual environment and can determine if the file is malicious by watching its actual behaviors instead of relying on a traditional antivirus signature.

However local controls go beyond simply blocking the infecting files associated with malware. We can pursue the same principle of the decapitation strategy, but in a slightly different way. Since bots need to communicate with a remote server in order to function, we have the ability to incapacitate a botnet on our network by finding and blocking the outbound communications between infected machines and the remote management server. This is a critical step because it allows us to quarantine a botnet and mitigate the damage it might do in the time between when it is first detected and when the infected systems can be properly cleaned.

By analyzing malware in a sandbox environment, we can gain invaluable insight into exactly how a bot communicates, including any attempts at evasion and circumvention. While this approach certainly won’t do anything to disrupt the global impacts of a botnet, it can actually do quite a bit to keep that botnet from reaching into our networks.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...