Botnet takedown sets legal, not technical, precedent

Security experts applaud the U.S. Department of Justice's foray into more aggressive tactics against cybercrime

In the security industry, researchers have often been able to infiltrate botnets. Yet, the next step has always been a big question mark.

Now, defenders may have a new slate of options. The takedown of the Coreflood botnet marks the start of more aggressive stance against botnets, say security experts. Last week, the U.S. Department of Justice obtained a temporary restraining order forcing registrars to reroute requests from infected computers, not to Coreflood's command-and-control servers, but to a substitute server managed by a non-profit group. Under the judge's order, the sinkhole server can issue commands to prevent the bot agents from carrying out normal operations.

The result has been a drop of several orders of magnitude in the activity from the botnet, says Don Jackson, director of threat intelligence for Dell SecureWorks.

"Compared to what it used to be like — it is a pin drop compared to the symphony of activity that was going on before," Jackson says. "A bot now receives the pause command and it stays quiet. It does not reach out at the normal intervals. When it does, it just receives a pause command, which it only does at reboot."

In the recent past, fear of causing problems on infected computers prevented security researchers from taking any aggressive measures. In 2008, for example, researchers infiltrated the Kracken botnet and could have issued commands to compromised PCs to uninstall the software, but decided against the controversial move because of liability concerns.

"In all seriousness, cleansing the systems would probably help 99 percent of the infected user base," David Endler, the director of TippingPoint's researchers, stated at the time. "It's just the 1 percent of corner cases that scares me from a corporate liability standpoint."

Yet, the Department of Justice's move — a first for U.S. law enforcement -- to issue commands opens up more aggressive opportunities for defenders. In 2009, researchers at the Conference on Cyber Warfare in Estonia called for more aggressive countermeasures against dangerous worms and botnets, such as Conficker. In 2010, the Dutch police pushed "good" software to computers infected by the Bredolab botnet.

The U.S. Department of Justice has established a good model for approaching the shutdown of a botnet, says Dell's Jackson. The government agency wrote a 60-page legal memo analyzing the decision and spelling out the steps they took, including technical analysis and consultation with the industry, to limit damage from the move. Fully understand the workings of the bot software, getting expert analysis, and limiting the data intercepted from the botnet show commonsense, says Jackson.

"I don't think a lot of people realize how much effort and how much discussion went into doing this at the highest level," he says. "Obviously, everyone saw the necessity of this type of involvement."

The Coreflood botnet has existed for almost a decade, according to security researchers. Originally, compromised PCs were used to launch denial-of-service attacks against other networks. Around 2005, the cybercriminals' focus changed to monetizing the theft of personal information.

The opportunity to takedown the Coreflood botnet arose mainly because the software used fairly old methods of communications and no command-and-control authentication. Newer bot software would be more difficult to attack, but not impossible, say Gunter Ollman, vice president of research for network security firm Damballa. Future botnets could be disrupted by finding vulnerabilities in their programming, in much the same way that cybercriminals and other attackers find vulnerabilities in enterprise software today, he says.

"This particular tactic cannot be applied universally to botnets, but the precedent has been set," says Ollman. "This is less about how the takedown was conducted, and more about the fact that law enforcement was allowed to send commands to the bot agents."

While U.S. authorities have gained permission to send a "pause" command to the infected computers, Jackson thinks it's unlikely that they will attempt to clean up the systems of U.S. citizens.

"Right now, the landscape is not suited to cleaning up bot-infected computers," he says. "I think it will be a long time and a major change in the attitude to do more than they did here."

Microsoft, however, released an update to its Malicious Software Removal Tool that cleans systems of the Coreflood agent.

Cybersecurity market research: Top 15 statistics for 2017