• 
• 
• 

 1 of 3

Gallery

We can beat the botnets

Posted on 8 Mar 2010 at 14:50

Davey Winder celebrates some GBH (grievous botnet harm)

In the space of 24 hours, its determined team of security researchers managed to co-ordinate an attack against the command and control centres that botnets rely upon to stay alive, and as a result forced a quarter of a million bots offline and effectively disabled the Mega-D/Ozdok botnet, albeit temporarily.

The point is that its approach has now been shown to work, and if the security industry, the ISP industry and law-enforcement agencies had the will to follow it through, there’s absolutely no reason why a sustained counter-attack couldn’t all but wipe out the botnet threat within a matter of months.

FireEye’s team took a highly organised approach to the problem, studying the command and control architecture over a period of many weeks. Most importantly, it made a point of understanding the fallback mechanisms in place to keep the botnet alive if attacked. Only when the researchers were absolutely sure of the evidence they’d gathered regarding the domains being used for command-and-control and fallback – and only once they fully understood the structure of the beast they were dealing with – did they strike.

Speed was the real key to success, because to beat down a botnet and prevent its fallback strategy from kicking in, you quite logically need to disable all its command and control servers before they have a chance to start setting up alternative routes to their zombies.

First, all the identified ISPs were notified about which of their hosts were being used by the botnet, whether directly by the gang or on a compromised basis, with an urgent request to suspend them. Apparently, the evidence presented was compelling enough for only four of the hosts to remain up and running.

At the same time, other researchers contacted Internet Registrars with evidence pointing to those domains that had been identified as being either in the primary command-and-control or the secondary fallback chain. A number of these were suspended too, and FireEye also succeeded in getting many zombie PCs re-routed to a sinkhole server where data that identified the owners could be collected – those owners were in turn given help to clean their machines of the malware that allowed them to be compromised in the first place.

Within just 24 hours some 264,784 machines with unique IP addresses connected to that decontamination server!

The end result was that for a week or two Mega-D was crippled, the number of reported zombies dropping from around 1,500 a day to 50 or less. Of course, the success was short-lived, as the gang behind this profitable enterprise took advantage of the fact that it was just a one-off attack, and has since been investing time and money in rebuilding its botnet.

As I write, I’m led to believe that activity is back up to about 75% of what it was before FireEye rained those 24 hours of good-guy hell on them.

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site