Security Experts:

Law Enforcement Asks Congress for More Power Against Botnet Operators

Senate Subcommittee on Crime and Terrorism Conducts Hearing on Botnets and Cybercrime

Cyber-attackers are increasingly using botnets to drive their criminal enterprises, whether they are sending spam, infecting computers with malware, or launching denial-of-service attacks, experts testified at a Senate committee hearing on Tuesday.

In the hearing, law enforcement officials asked Congress to consider legislation that would give them more tools to go after the botnet operators.

Executives from Microsoft, Symantec, Farsight Security, and Online Trust Alliance, joined officials from the Federal Bureau of Investigation and the Department of Justice to testify at Tuesday's hearing on botnets held by the Senate Judiciary subcommittee on Crime and Terrorism.

Senate Hearing on Botnets

Botnets allow criminals to “command a virtual army of millions, most of whom have no idea that they have been conscripted,” said Sen. Sheldon Whitehouse (D-RI), the chairman of the panel.

“The only limit to the malicious purposes for which botnets can be used is the imagination of the criminal who controls them,” Whitehouse said, noting that botnets can also be sold or rented to other criminals, as well. Whitehouse said he was working with Sen. Lindsey Graham (R-SC), the subcommittee's ranking member, on a bill to help crack down on botnets that he hoped to get passed later this year.

Financial Losses are High

Richard Domingues Boscovich, assistant general counsel from Microsoft Digital Crimes Unit also described previous efforts by law enforcement and private sector organizations to dismantle botnets, with the latest example being Gameover Zeus.

Botnets have "caused enormous financial damage and innumerable invasions of Americans' privacy," said Boscovich.

Botnets infect nearly 500 million computers each year, or 18 systems per second, said Joseph Demarest, an assistant director at the Federal Bureau of Investigation. The infected machines have caused more than $9 billion in financial losses in the United States, and $110 billion globally, Demarest said.

Gameover Zeus was one of the most sophisticated botnets in operation, and before its takedown last month, infected nearly 1 million computers which resulted in nearly $100 million in financial losses, said Leslie Caldwell, the assistant attorney general from the Department of Justice. “All or nearly all” computers infected by the Gameover Zeus botnet, have been disinfected, according to the Justice Department. The takedown was a coordinated operation between U.S. law enforcement, public and private sector organizations, and international partners.

Congress Can Give More Bite

The existing fraud and wiretapping laws are sufficient for going after many kinds of botnet operations, Demarest said. Even ransomware is covered as extortion under the law. But there are others that are currently don't have any legal actions associated with them. For example, in case of a denial of service attack, "we can't get an injunction against that," Demarest said.

There is no need to change the statutes, as the maximum sentences under most of the statues are adequate, Caldwell said. "I don't think we need any kind of mandatory minimums because we have been seeing judges imposing sentences around the seven-eight-nine-year range," Caldwell said.

Takedowns Are Important

Recent law enforcement victories are making it clear to criminals that they can get caught, Demarest said. The deterrence factor in years past may not have been much, but it's much more significant now. "We're causing impact and see them talking amongst each other," Demarest said. "We're actually placing a price to pay for actually engaging in this activity now."

Boscovich did not mention—nor did the Senators ask—about the most recent Microsoft action against Bladabindi-Jenxcus botnet, which also impacted dynamic DNS provider Vitalwerks Internet Solutions, the operator of the No-ip.com domain.

During the discussion about potential things Congress can do to make it easier for law enforcement to pursue botnet operators, there was no mention of how to ensure innocent sub-domain owners don't get swept up in these takedown efforts.

There was also no mention about the fact that botnet takedowns thus far have been disruptive, but not that effective in the long-run because the criminals remain free to rebuild. Whitehouse did acknowledge that a new version of Gameover Zeus was making the rounds.  In the case of Gameover Zeus, the Justice Department has charged a Russian native, Evgeniy Mikhalilovich Bogachev, as the leader of the malware gang, Bogachev remains free in Russia.

"Botnets conduct the digital equivalent of home invasion on a massive scale," said Boscovich. "We aim for their wallets. We disrupt botnets by undermining cyber-criminals' ability to profit from malicious attacks."

"Our solutions have to be borderless," Whitehouse said, noting that there is some level of international cooperation to get data about attacks as well as coordination for law enforcement actions. Demarest acknowledged there are some difficulties with some international law enforcement groups, but it's "improving."

Boscovich said the Conficker working group may be the best example of the kind of cooperation necessary to clean up victims and to dismantle the operation.

The government's role in this fight is to "focus on the immediate cessation of the harm to the people on the Internet," Cheri McGuire, the vice-president of global government affairs and cybersecurity policy at Symantec, said during the question-and-answer period. The government should "severe that communication, to stop the harm," while the private sector companies focus on education to prevent the infections in the first place.

The takedown attempt for Gameover Zeus “should serve as a model for the future,” McGuire said.

Botnet operators will "keep on going" and come up with even newer ways of attacks if law enforcement doesn't move aggressively to shut them down, Caldwell told Whitestone. McGuire also raised the possibility of "thingbots" as the Internet of Things get hijacked into botnets.

“If left unchecked, they will succeed,” Caldwell said.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.