Home » CyberSecurity » CyberPolicy » Botnet Terminator

Botnet Terminator

by Jane Ginn

Botnets are an insidious fact of the modern Internet.  Botnets are groups of computers from all around the world that have been infected through some form of malware which, after infection, respond to instructions from a remote computer.  They are used by cyber criminals to launch distributed denial of service (DDoS) attacks, to generate spam, and to execute a wide variety of other exploits.  On January 13, 2012 The Hacker News reported that Microsoft will be launching a real-time, hosted, threat intelligence feed that will be tracking the status of botnets that are creating havoc on the Internet.

Legendary Botnets

Microsoft is a good company to host such a feed.  It was one of the parties to the take-down of the Rustock botnet on March 16, 2011. The botnet targeted flaws in the Windows operating system and was capable of sending up to 25,000 spam messages per hour from an infected computer.  Rustock’s signature spam was a pharmaceutical offering.  Operation b107, as the Rustock take-down was called, was a joint effort by Microsoft, privately-owned FireEye, the University of Washington, and U.S. Federal law enforcement agents.  During the Rustock operation, beginning in 2006, this botnet was responsible for infecting up to an estimated 2.5 million computers.  After the closure of McColo, Rustock’s San Jose-based Internet Service Provider (ISP), it temporarily lost its link to the command and control server.  But connectivity to the botnet was regained by Rustock’s operators and by August, 2010, there were still an estimated 1.3 million infected computers generating spam from Rustock.  Crippled, but not slain, these computers were still generating about 46 billion spam emails per day according to Paul Wood a MessageLabs intelligence analyst with Symantec.

But Rustock was not the only legendary botnet.  Another botnet, known as Waledac, was spread by coupons and fake New Year’s e-cards that were sent to unsuspecting victims.   Mikko Hyppönen, chief research officer at anti-virus provider F-Secure, reported that this botnet was exploiting a known vulnerability in Adobe Flash and Microsoft’s Internet Explorer.  The payload for this botnet was a Trojan that gave the cybercriminals full access to the user’s PC, executed spam and participated in DDoS attacks.  With Waledec the command-and-control servers were also capable of downloading fake anti-virus protection programs.  What made this botnet so dangerous were the various permutations it went through during its lifetime.  It even added a geolocation feature during one of its variants. This was a social engineering feature not seen before by security experts.  Another version of Waledec also spoofed a Reuters news site warning of a bomb blast in the recipient’s city. The goal was to dupe users into clicking on a video link that would install the Trojan and extend the reach of the botnet.

Another high profile case of a botnet countermeasure with Microsoft cooperation was the Kapersky Lab take-down in 2011 of Kelihos/Hlux.  This was a very sophisticated botnet that targeted consumers of financial services.  Tilmann Werner of Kapersky Labs notes that this botnet used pump-and-dump stock scams, and was responsible for theft of sensitive financial information.  It also served as a vehicle for spam and DDoS attacks.  In essence, the botnet has been ‘sinkholed’ or taken over by the Kapersky Labs.  This means that the command and control servers are now under the control of white hat hackers that are systematically terminating the operations of the “worker” or host botnet computers.  Werner reports that, as of September 29, 2011, they had 3,000 hosts connected to the sinkhole every minute.  While Microsoft used a legal route to disable the domains and identify the responsible parties Kapersky Labs concentrated on disabling the command and control servers for the botnet.  One of the innovations of this peer-to-peer botnet was its architecture which allowed for fast reactions against take-down attempts.

For cyber security analysts the take away lesson from these three legendary botnets is that these robot armies are becoming more and more sophisticated.  Robot ladyThis raises obvious questions about the role of government in the management of these risks for individuals and companies.  Current proposals in the U.S. House of Representatives for a Stop Online Piracy Act (SOPA) and in the U.S. Senate for a Protection of Intellectual Property Act (PIPA) do not address the issue of botnet control.

As a consequence, private sector initiatives, such as those to be implemented by Microsoft with its real time threat intelligence feed will help cyber security experts manage the risks and fill in the public policy gaps until Congress has a chance to catch up.

In the meantime, individuals need to take action to install malware protection programs from trusted sources to make sure their computers do not become tools of the cyber criminals seeking to exploit others.

Botnets do not rule…at least for a while longer, humans do.

One Response to Botnet Terminator

  1. Jane Ginn

    January 31, 2012 at 4:55 pm

    Addendum to original article from Jane Ginn. Today I ran across an article by Maria Garnaeva of Kaspersky Labs noting that the Kelihos/Hlux botnet has resurfaced in a new permutation. Here is a link to her summary: