Shadowserver Foundation: Unsung heroes in the botnet wars

There is a group of security professionals that volunteer their time -- lots of time -- to rid the Internet of cybercrime. Discover how they are making a difference.

There is a group of security professionals that volunteer their time -- lots of time -- to rid the Internet of cybercrime. Discover how they are making a difference.


I first learned about the Shadowserver Foundation in 2006. To be honest, I was suspect at first. That's because they weren't pushing a product. According to them, their sole purpose was to understand cybercrime to a point where they could help others create deterrents.

Four years later, Shadowserver Foundation still believes that, and the foundation has become a powerful force bent on fighting Internet crime. The foundation's mission statement attests to their conviction:

"It is the mission of the Shadowserver Foundation to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers, and the spread of malware."

To accomplish their goal, the Shadowserver Foundation does the following:

  • Capture and receive malicious software, or information related to compromised devices
  • Disassemble, sandbox, and analyze viruses and trojans
  • Monitor and report on malicious attackers
  • Track and report on botnet activities
  • Disseminate cyberthreat information
  • Coordinate incident response

Those aren't simple tasks, yet things the Shadowserver Foundation does on a daily basis. Being a curious type, I hoped to find out more details. A busy Andre' M. Di Mino, one of the organization's founders and co-director, was willing to help by answering the following questions:

TechRepublic: Could you give some personal insight about Shadowserver Foundation, the people involved, and their background? Andre' M. Di Mino: Shadowserver originally started as a small group of people that were interested in capturing malicious software, analyzing it, and seeing what it did. Once we started enumerating botnet Command and Control servers, we decided to notify the affected ISPs and hosting providers. We then streamlined our process and provide a wide variety of actionable data to the community.

Our philosophy was and always will be, that information pertaining to malicious activity on an organization's network should be freely shared with that organization at no cost or obligation. Shadowserver has been providing this service freely to many subscribers for over two years, and currently generates over 10,000 reports nightly.

Over time, we've brought on some very talented and dedicated security professionals. Right now, we have 12 core team members around the world.

TechRepublic: The Shadowserver Foundation consists of several distinct groups. Could you give a brief description what each does? Andre' M. Di Mino: The following are the current operational divisions. Each team consists of volunteer security consultants that work to achieve the division's goals:
  • E-Fraud: Online identity theft, phishing, and credit card theft are an overwhelming part of the Internet underground. The eFraud Division sifts through this underground to gather and process intelligence that can assist the appropriate authorities in shutting down these operations.
  • Botnet Intelligence: Our initial focus and most popular division is related to botnet intelligence. Botnets are used as a weapon in online crime. From DDoS attacks, spam email, identity theft through key loggers, and the spreading of malware, these nets are the mafia of the Internet. At any given time, there are hundreds of botnets under surveillance.
  • Malware: This division focuses on disassembly and reverse engineering viruses, trojans, and other types of hostile code. Several thousand files have been reverse engineered, with a current repository of 50 million sample binaries and 30 million unique viruses.
  • Honeypots: The primary focus is to collect malware, phishing scams, and data, which is later examined by the other divisions. With various types of honeypots and collection mechanisms, in nearly every part of the world, we are able to see events as they happen, rather than days or weeks later.
TechRepublic: Could you give us a sense of what happens once you are alerted to a new botnet strain? Andre' M. Di Mino: Our process runs a pretty wide spectrum from malware analysis to studying the networks involved. Typically, we analyze the malware via various methods in order to determine its behavior and that of the associated networks.

From there, we may set up some monitoring systems to passively gather data on the botnet and its activities. We may also dive a bit deeper into the botnets themselves in order to better understand the topologies and network distribution.

For us, it's really all about gathering as much data on malicious activity as we can. For example, if we can determine the drone systems involved in a particular botnet. We then begin alerting those affected network providers. That in turn allows them to remediate the infected drones on their network.

TechRepublic: I wrote an article, "GhostNet: Why it's a big deal," that summarized an amazing investigation by Information Warfare Monitor and Shadowserver Foundation into how the office networks of the Dalai Lama were compromised. Could you please explain your role in the effort? Andre' M. Di Mino: One of our strong capabilities is malware analysis. We have a variety of systems that allow us to analyze large quantities of malware in great detail. We were asked to examine some files and data that were of interest to this effort.

From the analysis, we were able to provide key information indicating the networks and targets involved in the attacks. More details of our involvement can be found in Information War Monitor's recently released report, "Shadows in the Cloud".

TechRepublic: Over the past few years, the Shadowserver Foundation has worked with Microsoft on botnet projects, the most recent being the B49 Waledac Effort. Do you feel this sort of collaboration is beneficial? Some spam experts said the Waledac botnet was only momentarily slowed, why is that? Andre' M. Di Mino: Botnet/malware projects will strongly benefit from worldwide coordination and cooperation among industry, government, and law enforcement. Working in silos and in isolation won't work any longer. As a non-profit, vendor-neutral organization, Shadowserver is committed to the effort of working with other groups dedicated to improving the safety of the Internet.

Spam will continue to be a major product of the more prolific botnets out there. While spam levels will ebb and flow with the botnet takedown efforts, the fight must continue. As I mentioned in a recent blog post, Success is not measured in the percentage of spam reduced over a short period of time. Success in this arena is in breaking new ground in the analysis and disruption of 'notorious' botnets

TechRepublic: Your research efforts are fascinating to many of us. What sort of education and experience would someone need to become an effective security researcher? Andre' M. Di Mino: There are many aspects of information security that could be of interest to someone starting out. Understanding network communication protocols and the associated analysis tools is a strong plus.

Also malware reverse engineering, both static and dynamic, is an important area of interest. General understanding of security, vulnerabilities, and overall network detection and defense is also pretty foundational.

There are so many aspects to this field, but two traits that I see as essential:

  • You truly love what you are doing.
  • Realize that you will never stop learning something new every day; either on your own, or from others.
Get involved

During our conversations, Mr. Di Mino stressed the importance of needing our participation. To that end, the foundation has several ways in which we can become partners in the fight:

  • Get reports on your network: Reports are designed for organizations that directly own or control network space. Those responsible can receive customized reports detailing detected malicious activity to assist in their detection and mitigation program.
  • Submit a botnet: By using a ticket-tracking system, anyone can submit botnet information to the Shadowserver Foundation where it will be analyzed and acted upon.
  • Build a honeypot: The Shadowserver Foundation's Web site has excellent documentation on how to set up a honeypot. They obviously encourage this as a way to gather more information about malware in real-time.
Final thoughts

The Shadowserver Foundation is a group of dedicated malware fighters that could use our help and encouragement. They are, after all, trying to keep us safe while we traverse the Internet.

I want to thank Andre' M. Di Mino for taking the time to answer my questions and the Shadowserver Foundation for their effort.