What it takes to shut down a botnet

Eight ISPs took down a huge botnet last week, but the effect was temporary -- and highlights the need for a sustained international crackdown

A botnet shutdown makes for a great story.

Take last week's shutdown of a botnet with 30 central command and control (C&C) servers and an unknown number of zombies (compromised PCs). As part of an experiment, researchers from startup security firm LastLine contacted eight Internet service providers to take down about two-thirds of the central servers, which communicated with PCs infected with a variant of bot software known as Pushdo/Cutwail.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Initially, the results seemed promising: Spam from the botnet dropped dramatically.

"We ... had a major impact on the whole Pushdo botnet itself," says Thorsten Holz, senior threat analyst with LastLine and an assistant professor of computer science at Ruhr-University in Bochum, Germany. "But it was not our goal to have a complete takedown."

In fact, the impact on the cyber criminals behind the networks of compromised computers was fleeting, at best. This is the third time that a Pushdo botnet has been taken down, according to Atif Mushtaq with security firm FireEye's Malware Intelligence Lab. Each time the group, or groups, behind the botnets reconstituted their network fairly quickly.

"There is no rush as Pushdo backup servers are still up and running," writes Mushtaq in a blog post. "They will likely wait for a while until things calm down. In the meantime they will try to find new C&C servers aiming for a silent update of infected systems."

Mushtaq reviewed the results of the takedown and found that, within two days, the spam volumes started to recover.

The only way to have a more permanent impact on botnets is to get more Internet service providers involved. While the 30 C&C servers identified by LastLine were hosted on eight ISPs, only some of the companies responded to takedown requests issued by LastLine. One large European provider, which the security researchers refused to identify, did not respond -- likely, because it does not have a well-staffed abuse department.

Yet, research has shown that ISPs can make an enormous difference in tackling the botnet problems. For example, researchers found that if the top 50 ISPs removed infected computers on their networks, the effort could eliminate half of all zombies and reduce worldwide spam by half.

The main Internet service providers in many countries -- including Australia, Denmark, and Japan -- have started banding together to tackle botnets. Not for the good of the Internet but because of enlightened self-interest: The groups are aiming to head off government intervention.

To be truly effective, however, such alliances have to expand to other countries -- especially Eastern Europe, China and Russia -- because standard operating procedures among criminals in the botnet world call for backup servers in those countries to foil takedown efforts. Another botnet, called Koobface, uses legitimate servers that have been compromised to control operations while adding redundant servers in non-cooperative jurisdictions.

"That's the main reason that so far no real attempt has been made to shut down it," says FireEye's Mushtaq.

This article, "What it takes to shut down a botnet," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.


Copyright © 2010 IDG Communications, Inc.

How to choose a low-code development platform