Botnet whack-a-mole just might work

As Kelihos botnet taken down again, Microsoft wields legal tactics to pursue bot operators -- when Internet users really need arrests

The security industry upped the ante against criminal bot operators this week. On Wednesday, security firm Kaspersky reported it had disrupted a botnet consisting of 110,000 computers infected with Kelihos, or Hlux, bot program. Two days earlier, Microsoft announced it had shut down a large network of computers compromised with the Zeus banking trojan.

But are the industry takedowns of botnets actually helping? Neither Microsoft nor Kaspersky claim that the efforts will make a permanent dent in the targeted criminals' operations. Rather than catch the crooks, the companies are focused on disrupting their operations.

"We knew that we would never take one particular botnet offline," says Richard Boscovich, senior attorney for Microsoft's Digital Crimes Unit, who led the legal side of the software giant's attack on Zeus. "The goal was to introduce as much entropy into their control structure as possible. In the process of doing that, we have been able to have a window of time to impact as many computers as possible."

Microsoft worked with the Financial Services Information Sharing and Analysis Center, the Electronic Payments Association, and security skunkworks Kyrus Tech to build a case against a particular developer's version of Zeus to gain court orders allowing the company to raid two data centers based in the United States in cooperation with the U.S. Marshal Service. In addition, Microsoft has publicized many of the online handles used by the criminals responsible for the particular Zeus variant the company investigated.

Microsoft's methods -- while setting new legal precedents -- fall short of a permanent solution to the botnet problem, say experts.

"I think this is the second best option for dealing with the threat: removing the bad guys' infrastructure," says Gunter Ollmann, vice president of research for threat management firm Damballa. "The best option, of course, is knowing who the bad guys are and taking them out."

Microsoft's action is the fourth such takedown action led by the company. Last September, the company -- along with Kaspersky -- disrupted the Kelihos botnet. Prior to that, the software giant targeted two other botnets, Waledac and Rustock, as part of the Microsoft Active Response for Security program.

The September takedown of Kelihos killed the 40,000-node botnet, but the criminals behind the network -- or another group with access to the Kelihos code -- created a new botnet quickly. On Wednesday, Kaspersky reported that it had managed to infiltrate the new version of the Kelihos botnet and point nearly 110,000 compromised computers to a command-and-control server owned by the company, essentially taking down the botnet.

"The botnet is not controlled by the original owners anymore," says Marco Preuss, Kaspersky's head of global research and analysis in Germany. "The machines are still infected, but we are trying to inform ISPs so they can talk to their clients."

There are signs that the takedown tactics are working, however. The new Kelihos botnet, for example, consisted of a large proportion of compromised Polish computers, an odd statistical skew. The artifact raises the possibility that the group behind the network may have purchased or leased tens of thousands of bot-infected computers on the underground market, because they wanted to build their botnet quickly, Preuss says.

If the tactics are increasing the demand for the large -- but still limited -- number of compromised computers, underground prices could eventually take off, increasing the costs to criminals' businesses. And that would be a definite success.

This story, "Botnet whack-a-mole just might work," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2012 IDG Communications, Inc.