We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Microsoft bot takedowns help, but are no cure

Takedowns of Zeus botnet command and control servers like the one executed last week by Microsoft and others do reduce the criminal activity they spawn - for a while - but attackers learn from the experience and come back with more sophisticated techniques, a security expert says.

Eliminating the servers that issue commands and gather stolen data can stop a particular criminal enterprise temporarily, but without grabbing the people behind it, a new botnet is likely to emerge to replace the ones that are disabled, says John Pironti, president of ITArchitects.

BACKGROUND: Microsoft downs Zeus botnet but can't ID who's behind it 

ANOTHER TAKEDOWN: International security team shoots down second Hlux/Kelihos botnet 

"Adversaries will study how Microsoft did this and create ways to get around it in the future," he says. "They'll change their methods and practices and won't make the same mistake twice."

In fact, even as Microsoft grabbed servers that zombie machines were reporting back to with stolen banking data, criminals are already using more sophisticated means. Whereas the Zeus botnet employed a beacon reporting system in which drone machines report to a single server, newer botnets use command and control servers that are linked peer-to-peer to make discovery and takedowns harder, Pironti says.

"Microsoft did a good job of taking them down," he says. And chipping away one botnet at a time does have an effect.

It also helps gather data about how the criminals work and offers up the possibility that they will make a mistake that will reveal who they are and where they are located, which could lead to their arrest. That is the most effective way to stop botnets, he says, but it relies on patience and diligence in looking for the criminals' mistakes.

Often investigators can track participants in botnet exploits, but usually they are low-level functionaries, directly moving cash that is stolen in the operations. The masterminds generally protect themselves behind layers of their crime hierarchy, and survive to start afresh, Pironti says.

He says he knows of at least one case in which criminals abandoned a botnet that was up and running and it continued to gather data from zombie machines. Later, it appeared that other criminals either bought or stumbled upon and took over the botnet, he says.

Based on behavioral signatures, it appeared that a different crew was running the botnet, which he came across in his consulting. The perpetrators logged into different environments, used different machine types, searched their stolen data differently and even used different protocols such as FTP vs. SFTP to transfer data, all of which indicated a change of personnel.

Human nature and the desire to get as much money out of criminal botnets as possible can lead to the downfall of ringleaders, he says. As they want more of the take for themselves, they sometimes let down their guard, making them vulnerable and sometimes identifiable. "Greed is good," he says.

(Tim Greene covers Microsoft for Network World and writes the Mostly Microsoft blog. Reach him at [email protected] and follow him on Twitter https://twitter.com/#!/Tim_Greene.)

Read more about wide area network in Network World's Wide Area Network section.


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

Apple's 2014 highlights: the most significant Apple news of 2014

IDG UK Sites

2015 creative trends: 20 leading designers & artists reveal the biggest influences & changes coming)......

IDG UK Sites

Ultimate iOS 8 Tips: 35 awesome and advanced tips for using iOS 8 on iPhone and iPad