Takedowns of Zeus botnet command and control servers like the one executed last week by Microsoft and others do reduce the criminal activity they spawn - for a while - but attackers learn from the experience and come back with more sophisticated techniques, a security expert says.
Eliminating the servers that issue commands and gather stolen data can stop a particular criminal enterprise temporarily, but without grabbing the people behind it, a new botnet is likely to emerge to replace the ones that are disabled, says John Pironti, president of ITArchitects.
ANOTHER TAKEDOWN: International security team shoots down second Hlux/Kelihos botnet
"Adversaries will study how Microsoft did this and create ways to get around it in the future," he says. "They'll change their methods and practices and won't make the same mistake twice."
In fact, even as Microsoft grabbed servers that zombie machines were reporting back to with stolen banking data, criminals are already using more sophisticated means. Whereas the Zeus botnet employed a beacon reporting system in which drone machines report to a single server, newer botnets use command and control servers that are linked peer-to-peer to make discovery and takedowns harder, Pironti says.
"Microsoft did a good job of taking them down," he says. And chipping away one botnet at a time does have an effect.
It also helps gather data about how the criminals work and offers up the possibility that they will make a mistake that will reveal who they are and where they are located, which could lead to their arrest. That is the most effective way to stop botnets, he says, but it relies on patience and diligence in looking for the criminals' mistakes.
Often investigators can track participants in botnet exploits, but usually they are low-level functionaries, directly moving cash that is stolen in the operations. The masterminds generally protect themselves behind layers of their crime hierarchy, and survive to start afresh, Pironti says.
He says he knows of at least one case in which criminals abandoned a botnet that was up and running and it continued to gather data from zombie machines. Later, it appeared that other criminals either bought or stumbled upon and took over the botnet, he says.
Based on behavioral signatures, it appeared that a different crew was running the botnet, which he came across in his consulting. The perpetrators logged into different environments, used different machine types, searched their stolen data differently and even used different protocols such as FTP vs. SFTP to transfer data, all of which indicated a change of personnel.
Human nature and the desire to get as much money out of criminal botnets as possible can lead to the downfall of ringleaders, he says. As they want more of the take for themselves, they sometimes let down their guard, making them vulnerable and sometimes identifiable. "Greed is good," he says.
(Tim Greene covers Microsoft for Network World and writes the Mostly Microsoft blog. Reach him at firstname.lastname@example.org and follow him on Twitter https://twitter.com/#!/Tim_Greene.)
Read more about wide area network in Network World's Wide Area Network section.