Botnet takedowns are good for the industry, but our local controls are really the only security measures that we can rely on to protect our users, networks and data.
The fight against malware has never been easy, but botnets have forced the security industry as well as individual security teams to re-evaluate how they confront modern threats. Botnets are, by their nature, both very powerful and resilient. They can leverage massive numbers of infected machines (bots) and coordinate them toward a common goal. For example, an attacker running a DoS attack against your network is one thing to combat, but millions of infecting hosts all DoSing your network from all over the world is another thing entirely. Further, the distributed nature of botnets also makes them incredibly resilient threats that can easily survive the loss of many components.
Industry titans such as Kaspersky and Microsoft have repeatedly shown success in stopping botnets by taking control of the servers that drive the botnet. And, taking another route, security teams have focused on preventing and rooting out the actual bots that infect their users and networks. Both of these strategies are critical and will continue to rely on the other.
The Case for Botnet Takedowns
Botnet takedowns are often big news (at least in security circles), requiring a great deal of coordination between security researchers, law enforcement, and not to mention ISPs and carriers. The whole idea of these takedowns is to separate the botnet from its brain, i.e. its command and control servers. This so-called “decapitation” approach has actually proven to be very successful, particularly in dealing with the most egregious spamming botnets. Srizbi and Rustock were both massive spamming botnets that were taken down and as soon as they were taken down, the worldwide amount of spam dropped by as much as 70%. Those numbers have been well reported, but it’s truly a staggering amount of traffic. That is good and important work no matter how you slice it.
However, as one should expect, this approach is not a silver bullet. First, takedowns are typically long and complicated efforts, which means they take time. Years in some cases. It also means that you tend to focus on the biggest botnets, which may not be the same as the botnet that poses the biggest risk to your network. For instance, lowering the amount of spam on the Internet is good news, but you are probably more concerned about identifying and stopping the botnet that is harvesting your employees’ email logins.
Lastly, the more insidious problem is that more often than not, a decapitated botnet will come back.
Resurrection, Restarts and Resistance
Some of the world’s most famous botnet takedowns also serve as the best examples of why a botnet decapitation is not the final word. Pushdo, Srizbi and countless others have been able to survive and recover from decapitation attempts. This is primarily because most decapitations do not directly address the vast numbers of bot-infected machines out in the world. As a result, a decapitated botnet is still a massive botnet that is just looking for a master.
Botmasters have repeatedly shown the ability to bring a botnet back to life simply by recovering access to their previously disconnected bots. In fact, this ability to resist and recover from a takedown has become a fundamental component of many modern botnets. The TDL-4 and Zeus botnets, for instance, have the ability to survive the loss of all of its command and control servers, by using messages stored in peer-to-peer networks to control the botnet.
Of course, even in the case of a successful takedown, the botnet can often be rebuilt again. Waledac, a previously decapitated botnet has recently been seen popping up again in a new form. This new version added on to its previous spamming functionality the ability to also steal an infected user’s email and FTP passwords, as well as passwords stored in popular browsers.
The simple truth is that a successful botnet represents a very profitable venture for a criminal organization. Even if the takedown is successful, the gang can make a few tweaks and simply start again.
Act Locally
While botnet takedowns are obviously good for the industry, our local controls are really the only security measures that we can rely on to protect our users, networks and data. As a case in point, the new variant of the Waledac botnet was first observed in enterprise networks even though the sample in question had no coverage from antivirus vendors. The malware was detected by the enterprise firewall, which had the ability to perform a sandbox analysis of incoming files that were unknown or suspicious. This analysis essentially executes the unknown file in a virtual environment and can determine if the file is malicious by watching its actual behaviors instead of relying on a traditional antivirus signature.
However local controls go beyond simply blocking the infecting files associated with malware. We can pursue the same principle of the decapitation strategy, but in a slightly different way. Since bots need to communicate with a remote server in order to function, we have the ability to incapacitate a botnet on our network by finding and blocking the outbound communications between infected machines and the remote management server. This is a critical step because it allows us to quarantine a botnet and mitigate the damage it might do in the time between when it is first detected and when the infected systems can be properly cleaned.
By analyzing malware in a sandbox environment, we can gain invaluable insight into exactly how a bot communicates, including any attempts at evasion and circumvention. While this approach certainly won’t do anything to disrupt the global impacts of a botnet, it can actually do quite a bit to keep that botnet from reaching into our networks.