What it takes to shut down a botnet
Eight ISPs took down a huge botnet last week, but the effect was temporary -- and highlights the need for a sustained international crackdown
Follow @infoworld
A botnet shutdown makes for a great story.
Take last week's shutdown of a botnet with 30 central command and control (C&C) servers and an unknown number of zombies (compromised PCs). As part of an experiment, researchers from startup security firm LastLine contacted eight Internet service providers to take down about two-thirds of the central servers, which communicated with PCs infected with a variant of bot software known as Pushdo/Cutwail.
[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Initially, the results seemed promising: Spam from the botnet dropped dramatically.
"We ... had a major impact on the whole Pushdo botnet itself," says Thorsten Holz, senior threat analyst with LastLine and an assistant professor of computer science at Ruhr-University in Bochum, Germany. "But it was not our goal to have a complete takedown."
In fact, the impact on the cyber criminals behind the networks of compromised computers was fleeting, at best. This is the third time that a Pushdo botnet has been taken down, according to Atif Mushtaq with security firm FireEye's Malware Intelligence Lab. Each time the group, or groups, behind the botnets reconstituted their network fairly quickly.
"There is no rush as Pushdo backup servers are still up and running," writes Mushtaq in a blog post. "They will likely wait for a while until things calm down. In the meantime they will try to find new C&C servers aiming for a silent update of infected systems."
Mushtaq reviewed the results of the takedown and found that, within two days, the spam volumes started to recover.
