Grading Rogue ISP Takedowns in Botnet Fight
Fighting botnets can't just mean updating antivirus. After all, the amount of malware on the scene is not shrinking. In the past 18 months, security researchers have repeatedly set their eyes on rogue ISPs such as McColo and 3FN/Pricewert.
However, the drop off in spam levels after the takedowns was short-lived, as botnet operators shifted tactics and other botnets stepped up their spamming efforts to take over for those that had been disrupted.
It has become a familiar pattern, one that Matt Sergeant, senior anti-spam technologist at Symantec's MessageLabs, knows all too well. Sergeant was planning to examine the subject Wednesday in a talk at the RSA Conference in San Francisco, but instead Symantec colleague Alex Shipp, senior Anti-Virus Technologist and Imagineer for Symantec Hosted Services, will be taking his place.
The goal of the talk, however, remains the same: to figure out what we should learn from these incidents, and how to use this knowledge to better defeat the botnets spamming our inboxes.
Of all the ISP takedowns that have happened, the McColo shutdown was the most effective for two reasons: one, it hosted the C&C for the largest botnet at the time (Srizbi); and two, Srizbi was not programmed well to cope with a takedown, Sergeant said. In fact, Srizbi never recovered - though he speculated its owners were/are the owners of one of the other current extremely large botnets such as Rustock.
After the typical takedown, the botnet operators improved the code for finding new hosts if the main command and control server went away, he said.
"They improved the update cycle, and they started using more complicated encryption schemes," he explained. "One of the botnets even uses encrypted IPs in DNS, so that they look like regular IPs, but the IP used (for C&C) isn't the one returned over DNS. This prevents passive DNS sniffers discovering the C&C."
But such countermeasures are not the only things preventing long-term damage to many of the Web's most notorious botnets. There is also the fact that other unscrupulous ISPs are quick to take the place of any ISP that gets taken down.
"Sadly there are way too many people willing to take money for nefarious and illegal activity," Sergeant said. "As such these ISPs continue to crop up, and policing them is very difficult. We simply do what we can, document our findings and hope upstreams and law enforcement take note."