Feeds

Must try HARDER, infosec lads: We're RUBBISH at killing ZOMBIES

Botnet decap should be a team effort – ex-detective infosec bod

High performance access to file storage

Botnet takedowns need to be improved if the industry is to avoid the risk of creating more problems than it solves every time its decapitates a zombie network, according to a former Scotland Yard detective turned security researcher.

Adrian Culley, a technical consultant at infosec firm Damballa* who served with the Met Police for 13 years until 2003, told El Reg that more co-ordination and better strategies are needed in botnet takedowns.

As things stand, botnet takedowns are frequently an exercise in whack-a-mole: as one zombie network is taken down, another springs up. Zombie networks are created by both organised crime and intelligence agencies. "Botnets are a blended threat," Culley told El Reg. "Criminal, commercial and government elements are all involved and sometimes it's tough to see where one stop and the other begins."

Culley named China, Russia and Israel (which he described as the example "no one talks about") as the countries whose spooks have turned to creating botnets. Recent Snowden revelations have shown that elements of the NSA are running botnets too.

Techniques such as sinkholing to wrest control of the botnet work need to be followed up by deeper analysis, according to Culley. The former Met Police officer said that more in-depth analysis after the fact can future takedowns in much the same way the introduction of post-mortems improved surgical techniques and procedures. Better communications between parties involved in botnet takedowns are also needed.

Culley cited the Conficker takedown as a "good example of how to do it right".

Hyper-fluxing

Organised crime and other elements are upping their game by using P2P architectures for command and control networks or rotating domain changing algorithms (hyper-fluxing) used by zombie drones to contact command nodes.

Hyper-fluxing is a refinement of the fast-fluxing technique of generating commands nodes that's been around for several years as a means to move away from fixed-address command-and-control infrastructures that are easier to identify and take down. While fast-fluxing involves using one domain changing algorithm hyper-fluxing involves switching between multiple domain-changing algorithms.

Internet defenders need to up their game or else bot-herders will render their best efforts hopelessly inadequate.

Law enforcement and industry must be involved in dismantling zombie networks, and arresting the cybercrooks who profit for them. But the role played by industry needs to be better co-ordinated, a role suited to an organisations such as ICANN, Culley suggested.

A paper (PDF) co-authored by Damballa analysing 45 active botnets revealed that while some takedowns were effective, others did not appear to have a significant long term impact on the targeted botnet. In particular, botnets with secondary communications channels are far more resilient to takedowns.

The research - Beheading Hydras: Performing Effective Botnet Takedowns (abstract below) - was put together by Manos Antonakakis, chief scientist at Damballa, along with computer scientists from the Georgia Institute of Technology and the University of Georgia,

Devices infected with malicious software typically form botnet armies under the influence of one or more command and control (C&C) servers. The botnet problem reached such levels where federal law enforcement agencies have to step in and take actions against botnets by disrupting (or "taking down") their C&Cs, and thus their illicit operations. Lately, more and more private companies have started to independently take action against botnet armies, primarily focusing on their DNS-based C&Cs.

While well-intentioned, their C&C takedown methodology is in most cases ad-hoc, and limited by the breadth of knowledge available around the malware that facilitates the botnet.

With this paper, we aim to bring order, measure, and reason to the botnet takedown problem. We propose a takedown analysis and recommendation system, called rza, that allows researchers to perform two tasks: 1) a post-mortem analysis of past botnet takedowns, and 2) provide recommendations on how to successfully execute future botnet takedowns. As part of our system evaluation, we perform a post-mortem analysis of the recent Kelihos, Zeus and 3322.org takedowns. We show that while some of these take-downs were effective, others did not appear to have a significant long-term impact on the targeted botnet. In addition to the post-mortem analyses, we provide takedown recommendation metrics for 45 currently active botnets, where wend that 42 of them can likely be disabled entirely by using a DNS-based takedown strategy only.

A recent blog post, Three Reasons Why Botnet Takedowns are Ineffective by Brian Foster, CTO at Damballa, condenses the themes of the whitepaper. Foster reckons a combination of "haphazard" botnet takedowns, ignoring secondary communication methods that allow zombie networks to be reanimated and failure to arrest the cybercriminals behind botnets means that zombie networks pose a much bigger problem to internet hygiene than might otherwise be the case. ®

Bot-note

Damballa's name comes from a Voodoo snake god that protects against zombies. The infosec firm specialises against fighting against botnets of malware-infected (zombie) computers as well as so-called Advanced Persistent Threats.

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.