Collaboration

Shadowserver Foundation: Unsung heroes in the botnet wars

There is a group of security professionals that volunteer their time -- lots of time -- to rid the Internet of cybercrime. Discover how they are making a difference.

There is a group of security professionals that volunteer their time -- lots of time -- to rid the Internet of cybercrime. Discover how they are making a difference.

---------------------------------------------------------------------------------------

I first learned about the Shadowserver Foundation in 2006. To be honest, I was suspect at first. That's because they weren't pushing a product. According to them, their sole purpose was to understand cybercrime to a point where they could help others create deterrents.

Four years later, Shadowserver Foundation still believes that, and the foundation has become a powerful force bent on fighting Internet crime. The foundation's mission statement attests to their conviction:

"It is the mission of the Shadowserver Foundation to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers, and the spread of malware."

To accomplish their goal, the Shadowserver Foundation does the following:

  • Capture and receive malicious software, or information related to compromised devices
  • Disassemble, sandbox, and analyze viruses and trojans
  • Monitor and report on malicious attackers
  • Track and report on botnet activities
  • Disseminate cyberthreat information
  • Coordinate incident response

Those aren't simple tasks, yet things the Shadowserver Foundation does on a daily basis. Being a curious type, I hoped to find out more details. A busy Andre' M. Di Mino, one of the organization's founders and co-director, was willing to help by answering the following questions:

TechRepublic: Could you give some personal insight about Shadowserver Foundation, the people involved, and their background? Andre' M. Di Mino: Shadowserver originally started as a small group of people that were interested in capturing malicious software, analyzing it, and seeing what it did. Once we started enumerating botnet Command and Control servers, we decided to notify the affected ISPs and hosting providers. We then streamlined our process and provide a wide variety of actionable data to the community.

Our philosophy was and always will be, that information pertaining to malicious activity on an organization's network should be freely shared with that organization at no cost or obligation. Shadowserver has been providing this service freely to many subscribers for over two years, and currently generates over 10,000 reports nightly.

Over time, we've brought on some very talented and dedicated security professionals. Right now, we have 12 core team members around the world.

TechRepublic: The Shadowserver Foundation consists of several distinct groups. Could you give a brief description what each does? Andre' M. Di Mino: The following are the current operational divisions. Each team consists of volunteer security consultants that work to achieve the division's goals:
  • E-Fraud: Online identity theft, phishing, and credit card theft are an overwhelming part of the Internet underground. The eFraud Division sifts through this underground to gather and process intelligence that can assist the appropriate authorities in shutting down these operations.
  • Botnet Intelligence: Our initial focus and most popular division is related to botnet intelligence. Botnets are used as a weapon in online crime. From DDoS attacks, spam email, identity theft through key loggers, and the spreading of malware, these nets are the mafia of the Internet. At any given time, there are hundreds of botnets under surveillance.
  • Malware: This division focuses on disassembly and reverse engineering viruses, trojans, and other types of hostile code. Several thousand files have been reverse engineered, with a current repository of 50 million sample binaries and 30 million unique viruses.
  • Honeypots: The primary focus is to collect malware, phishing scams, and data, which is later examined by the other divisions. With various types of honeypots and collection mechanisms, in nearly every part of the world, we are able to see events as they happen, rather than days or weeks later.
TechRepublic: Could you give us a sense of what happens once you are alerted to a new botnet strain? Andre' M. Di Mino: Our process runs a pretty wide spectrum from malware analysis to studying the networks involved. Typically, we analyze the malware via various methods in order to determine its behavior and that of the associated networks.

From there, we may set up some monitoring systems to passively gather data on the botnet and its activities. We may also dive a bit deeper into the botnets themselves in order to better understand the topologies and network distribution.

For us, it's really all about gathering as much data on malicious activity as we can. For example, if we can determine the drone systems involved in a particular botnet. We then begin alerting those affected network providers. That in turn allows them to remediate the infected drones on their network.

TechRepublic: I wrote an article, "GhostNet: Why it's a big deal," that summarized an amazing investigation by Information Warfare Monitor and Shadowserver Foundation into how the office networks of the Dalai Lama were compromised. Could you please explain your role in the effort? Andre' M. Di Mino: One of our strong capabilities is malware analysis. We have a variety of systems that allow us to analyze large quantities of malware in great detail. We were asked to examine some files and data that were of interest to this effort.

From the analysis, we were able to provide key information indicating the networks and targets involved in the attacks. More details of our involvement can be found in Information War Monitor's recently released report, "Shadows in the Cloud".

TechRepublic: Over the past few years, the Shadowserver Foundation has worked with Microsoft on botnet projects, the most recent being the B49 Waledac Effort. Do you feel this sort of collaboration is beneficial? Some spam experts said the Waledac botnet was only momentarily slowed, why is that? Andre' M. Di Mino: Botnet/malware projects will strongly benefit from worldwide coordination and cooperation among industry, government, and law enforcement. Working in silos and in isolation won't work any longer. As a non-profit, vendor-neutral organization, Shadowserver is committed to the effort of working with other groups dedicated to improving the safety of the Internet.

Spam will continue to be a major product of the more prolific botnets out there. While spam levels will ebb and flow with the botnet takedown efforts, the fight must continue. As I mentioned in a recent blog post, Success is not measured in the percentage of spam reduced over a short period of time. Success in this arena is in breaking new ground in the analysis and disruption of 'notorious' botnets

TechRepublic: Your research efforts are fascinating to many of us. What sort of education and experience would someone need to become an effective security researcher? Andre' M. Di Mino: There are many aspects of information security that could be of interest to someone starting out. Understanding network communication protocols and the associated analysis tools is a strong plus.

Also malware reverse engineering, both static and dynamic, is an important area of interest. General understanding of security, vulnerabilities, and overall network detection and defense is also pretty foundational.

There are so many aspects to this field, but two traits that I see as essential:

  • You truly love what you are doing.
  • Realize that you will never stop learning something new every day; either on your own, or from others.
Get involved

During our conversations, Mr. Di Mino stressed the importance of needing our participation. To that end, the foundation has several ways in which we can become partners in the fight:

  • Get reports on your network: Reports are designed for organizations that directly own or control network space. Those responsible can receive customized reports detailing detected malicious activity to assist in their detection and mitigation program.
  • Submit a botnet: By using a ticket-tracking system, anyone can submit botnet information to the Shadowserver Foundation where it will be analyzed and acted upon.
  • Build a honeypot: The Shadowserver Foundation's Web site has excellent documentation on how to set up a honeypot. They obviously encourage this as a way to gather more information about malware in real-time.
Final thoughts

The Shadowserver Foundation is a group of dedicated malware fighters that could use our help and encouragement. They are, after all, trying to keep us safe while we traverse the Internet.

I want to thank Andre' M. Di Mino for taking the time to answer my questions and the Shadowserver Foundation for their effort.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

17 comments
edwardspbe
edwardspbe

Hey... what happened to shadowserver.org? It's off the air! :-0

GizmoGirl
GizmoGirl

Interesting. Working on my M.Sc. in Information Assurance, so will be giving these guys a look.

Ocie3
Ocie3

web site is interesting. Thank-you again for writing about them. They certainly deserve our attention and cooperation. Personally, though, what those guys do is totally out of my depth. I was tempted to ask them if they have any interest in undetectable rootkits. The most recent Malwarebyte's Antimalware run found 14 copies of a worm in the XP C:\Windows\system32 directory of the installation that I was replacing. They were probably introduced relatively recently, since the most recent run of MBAM (though the signatures file might not have had the worm's signature in it at that time). One thing is clear, namely, that the worm most likely was a packet that was crafted to pass through the firewall without being intercepted. I doubt that JavaScript was involved. Worms do not need web sites to spread. They are designed to spread themselves [i]via[/i] networks, and are one reason that firewalls were invented.

mirazhyun
mirazhyun

what a nice group of ppl, some ppl like to learn new thing despite where it source from. with a share of problem hope will fast pace the technology :)

santeewelding
santeewelding

How, as a nonprofit foundation, they put food on the table?

Michael Kassner
Michael Kassner

Have you heard of the organization? Many haven't and should. They are important to all of us who travel the internet.

Michael Kassner
Michael Kassner

In your endeavors. We need more people like yourself.

Michael Kassner
Michael Kassner

You cut yourself short, sir. Next subject, ask at least. I suspect/hope that you might be surprised by what Shadow server might do. As for MBAM and your situation, it appears to be a focused attack. Take care.

Michael Kassner
Michael Kassner

I also like the fact that the members are from all parts of the world.

Michael Kassner
Michael Kassner

That shows their dedication. In fact, I almost missed deadline as Mr. Di Mino was at a client most of yesterday. He was kind enough to help me finish late last night.

groundhog32
groundhog32

Echo the sentiments above. Excellent article; word really needs to get out there to the people who need to know and every bit of publicity helps. Don't they self-publicize (or is it a budget issue holding them back)?

LimitedWisdom
LimitedWisdom

Michael, Excellent article. I had not heard of this organization before - to be sure I'll be investigating more and following them. Thanks for another great article that's very relevant to my organization today! -Chris

NickHurley
NickHurley

Sounds like something worthwhile to be a part of, we've had some outbreaks we have managed to subdue on our networks here, I guess we could have sent that data their way. Will keep those guys in mind next time.

Michael Kassner
Michael Kassner

I can only guess. They are pretty busy following all the nasty stuff out there. Plus, they all have full-time jobs as far as I know.

Michael Kassner
Michael Kassner

If you read about some of the bigger investigations, Shadowserver is usually involved. That says a lot. They are highly regarded by other IT Security SMEs as well.

Michael Kassner
Michael Kassner

It is my understanding that they would appreciate any insight. Real-world experience trumps other discovery methods.