CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Security Firm Analyzes Success of Botnet Takedowns

Israel-based threat detection firm Seculert has been monitoring the effects of the recent Gameover Zeus and Shylock botnet takedown operations, and found that the cybercriminals have already taken steps to resurrect their campaigns.

Israel-based threat detection firm Seculert has been monitoring the effects of the recent Gameover Zeus and Shylock botnet takedown operations, and found that the cybercriminals have already taken steps to resurrect their campaigns.

The international operation against Gameover Zeus, which also disrupted the CryptoLocker ransomware, was announced on June 2 by the law enforcement agencies and private sector companies that contributed to the takedown. On July 11, the United States Department of Justice provided an update saying that the “technical and legal measures undertaken to disrupt Gameover Zeus and Cryptolocker have proven successful.”

Do Botnet Takedowns Work?However, at around the same time, Bitdefender reported that while CryptoLocker had not been active, its infrastructure was still being used by other threats. Furthermore, researchers from Malcovery Security identified a new Trojan largely based on Gameover Zeus that appeared to be part of cybercriminals’ efforts to resurrect the botnet.

Seculert has been monitoring the evolution of the Gameover Zeus botnet and confirms there is a new variant which doesn’t rely on a peer-to-peer (P2P) mechanism, like previous versions did. Furthermore, the new variant has a different domain generation algorithm (DGA) which is now generating 1,000 domains per day, unlike the previous variant which generated only 1,000 new domains per week.

Before the takedown, roughly 25,000 to 100,000 bots communicated with the security firm’s sinkhole every day. After the operation, the number has dropped significantly, but there have been signs of a comeback.

“In the last few days we have seen a surge in the number of bots communicating with our sinkhole; reaching as high as almost 10,000 infected devices. We anticipate the communications traffic to level out over time to reflect pre-takedown amounts,” Seculert CTO Aviv Raff explained in a blog post.

On July 10, several law enforcement agencies and cyber security companies announced seizing command and control servers and domains used by Shylock, a piece of financial malware that’s said to have infected at least 30,000 computers worldwide.

Seculert managed to sinkhole Shylock three days after the takedown operation was announced, and found that approximately 10,000 bots have been trying to communicate with the server every day.

Advertisement. Scroll to continue reading.

Shylock and Gameover Zeus would not be the only botnets to make a comeback after a takedown operation. The Kelihos/Waledac botnet was disrupted twice in 2011 and 2012, yet the cybercriminals managed to resume their activities each time. One day after the second takedown, which took place in March 2012, Seculert identified over 70,000 devices still active in the botnet.

Seculert claims it’s not trying to question the success of these operations, but to identify the factors that determine their success. Since many of the campaigns against botnets only cripple the malware instead of completely killing it off, it’s possible that these efforts are only testing the limits of cybercriminals, Raff said.

“It is worth considering whether takedowns are a win for the team of cyber good guys or just a timeout allowing the criminals to regroup and come back stronger,” the expert noted.

 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.