Data Centers

Botnets: Can they be beaten?


Botnets: the plague of the Internet in recent times, they are used to perpetrate all sorts of illegal activities from collecting personal and confidential information to hammering mail servers with SPAM. Botnets have been known about for years and have proven very difficult for law enforcement agencies to crack down on. At last it looks like botnets are starting to take on some serious damage. In New Zealand an 18-year-old has been arrested and had his computer seized; he is suspected of heading up a global gang who call themselves the "A-Team". This group has infected millions of computers worldwide with an adaptation of the AKBot worm, a backdoor program which can be used to remotely control the infected machines and perform a multitude of illegal activities.

It's thought that the FBI played a substantial role in the arrest in New Zealand as part of a wider attack on botnets and their masters. This press release states that eight suspects have been arrested and either pleaded guilty or been convicted of running botnets. On top of that, another thirteen arrest warrants have been issued!

I'm not sure we'll ever be rid of botnets; as the authorities start to make progress, the criminals will inevitably get better at covering their tracks. Still it's nice to see some kind of action being taken to fight what is one of the Internet's biggest problems.

3 comments
jmgarvin
jmgarvin

Subvert and then destroy. Why? If you can take over a few machines in a botnet, you can not only find the owner(s), you can use the botnet to YOUR advantage as a good guy. Writing a paper on this now...it only makes sense.

Dr Dij
Dr Dij

had dissected the bots and back-infiltrated their networks as the bots 'phone home'. for ease of use they probably have just a few control points. they could rotate these but they could be infiltrated as fast as they rotate. I think the GRC guy did some of this. some people don't like him but I think this work was great. And a similar strategy was suggested to shut down phishers - hit the hosts they're on. they can put in endless dns entries but they usually point to just a few 'bulletproof' servers as others would be taken offline. I think to 'take them out' various orgs may start waging low level cyberwarfare against any ISPs who don't respond to take down criminal sites and aid / abet them. Plus the simplest route is for ISPs, companies and high level interconnect companies to BLOCK the address ranges of said companies. Kaspersky has list of 5 ISPs for example that are majority of malware hosting sites. They'll switch to more distributed but less efficient / harder control methods but is still worth doing. This would up the ante and greatly reduce the ease to do criminal activities, and is probably inevitable since we can't invade Tuvalu or make troop drops in Timbuktu simply to get rid of some criminal hosting ISP.