Botnets Keep Springing Back to Life After Takedowns, Damballa CTO Says

The network-security executive argues that the high-profile botnet takedowns in recent years are not helping the Internet, but are more of a distraction.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Kelihos keeps coming back, Citadel is hard to kill, and Zeus seems immortal. Security firms, led by software giant Microsoft, have tried to shut down each of these botnets, but despite some initial signs of success, each has come back to life.

Botnets, networks of compromised computers under the control of a cyber-criminal gang, are tough to beat. Yet the security industry has largely failed to succeed against botnets, not because of the technical aptitude of the attackers, but because of shortcomings in the industry's approach, according to one industry executive.

In a pair of blog posts, with a third yet to come, Brian Foster, chief technology officer for network-security firm Damballa, has criticized the takedown efforts to date, arguing that many are more a public-relations exercise than a service for the Internet community.

A lack of cooperation, a failure to rigorously analyze the malware, and the inability to arrest and prosecute the operators have allowed nearly every botnet to be reconstituted by the cyber-criminals who create them, Foster told eWEEK.

"Sometime I wonder if these takedowns are done by the marketing team rather than the technical security teams," Foster said.

Over the last decade, a wide variety of botnets have been shut down by private efforts. In 2009, for example, security consultancy Defense Intelligence teamed with Spanish security firm Panda Labs and the Georgia Institute of Technology to help take down the Mariposa botnet, which illicitly controlled millions of compromised PCs. In 2010, Microsoft launched its own initiative to pursue legal actions against botnet masters, filing civil actions and then seizing command-and-control servers under court orders.

The comments came a week after Microsoft announced the opening of its Cybercrime Center, which houses all the company's efforts to disrupt botnet and other anti-cyber-crime activities. Microsoft's Digital Crimes Unit, which will call the Cybercrime Center home, has disrupted seven botnets in the past three years, each time using court orders paired with technical efforts.

"By combining sophisticated tools and technology with the right skills and new perspectives, we can make the Internet safer for everyone," David Finn, associate general counsel of the Microsoft Digital Crimes Unit, said in a statement on Nov. 14.

Yet security firms need to refine their approach, said Damballa's Foster. Because botnets infect systems worldwide, broader coalitions need to band together to fight them. Microsoft, for example, has been criticized for shunting botnet traffic to its own servers, preventing other researchers who were studying botnets from analyzing traffic data.

"It's not that I think that Microsoft's heart is not in the right place, but we need to change the economics for the attacker, and we are not doing that," he said.

In addition, companies need to do more analysis of the malware used to create botnets to find all the contingencies that the operators have built in. Only then can defenders create a comprehensive strategy to cut off every compromised system from "phoning home" for new orders, Foster said.

Finally, companies need to work with law enforcement to pursue the botnet masters and punish them with arrest and jail time, he said.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...