Botnet takedown sets legal, not technical, precedent

Security experts applaud the U.S. Department of Justice's foray into more aggressive tactics against cybercrime

By Robert Lemos

April 19, 2011 — CSO —

In the security industry, researchers have often been able to infiltrate botnets. Yet, the next step has always been a big question mark.

Now, defenders may have a new slate of options. The takedown of the Coreflood botnet marks the start of more aggressive stance against botnets, say security experts. Last week, the U.S. Department of Justice obtained a temporary restraining order forcing registrars to reroute requests from infected computers, not to Coreflood's command-and-control servers, but to a substitute server managed by a non-profit group. Under the judge's order, the sinkhole server can issue commands to prevent the bot agents from carrying out normal operations.

The result has been a drop of several orders of magnitude in the activity from the botnet, says Don Jackson, director of threat intelligence for Dell SecureWorks.

"Compared to what it used to be like — it is a pin drop compared to the symphony of activity that was going on before," Jackson says. "A bot now receives the pause command and it stays quiet. It does not reach out at the normal intervals. When it does, it just receives a pause command, which it only does at reboot."

In the recent past, fear of causing problems on infected computers prevented security researchers from taking any aggressive measures. In 2008, for example, researchers infiltrated the Kracken botnet and could have issued commands to compromised PCs to uninstall the software, but decided against the controversial move because of liability concerns.

"In all seriousness, cleansing the systems would probably help 99 percent of the infected user base," David Endler, the director of TippingPoint's researchers, stated at the time. "It's just the 1 percent of corner cases that scares me from a corporate liability standpoint."

Yet, the Department of Justice's move — a first for U.S. law enforcement -- to issue commands opens up more aggressive opportunities for defenders. In 2009, researchers at the Conference on Cyber Warfare in Estonia called for more aggressive countermeasures against dangerous worms and botnets, such as Conficker. In 2010, the Dutch police pushed "good" software to computers infected by the Bredolab botnet.

The U.S. Department of Justice has established a good model for approaching the shutdown of a botnet, says Dell's Jackson. The government agency wrote a 60-page legal memo analyzing the decision and spelling out the steps they took, including technical analysis and consultation with the industry, to limit damage from the move. Fully understand the workings of the bot software, getting expert analysis, and limiting the data intercepted from the botnet show commonsense, says Jackson.

• Print