{"id":4117,"date":"2013-12-03T10:00:10","date_gmt":"2013-12-03T15:00:10","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=4117"},"modified":"2013-12-03T10:00:10","modified_gmt":"2013-12-03T15:00:10","slug":"botnet-busts-more-for-stunts-than-security-expert-says","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2013\/12\/03\/botnet-busts-more-for-stunts-than-security-expert-says\/","title":{"rendered":"Botnet busts more for stunts than security, expert says"},"content":{"rendered":"

\"\"<\/a><\/p>\n

Microsoft and Symantec made headlines in September and in the summer by taking down major botnets. Now, one expert calls their actions ineffective, and wonders if the only reason they happened was to garner good press.<\/p>\n

Working backwards, Symantec announced in September that they used a vulnerability within the ZeroAccess botnet’s code to take down a significant part of it. Their actions gained headlines, because ZeroAccess has existed since 2010, and had a foothold on millions of systems globally.<\/p>\n

In a similar situation, Microsoft took out 88 percent of the Citadel botnet this summer, going to far as to send configuration files to the infected systems that forced them to connect to sinkholes, removing them from criminal control. At the time, Microsoft said that 40 percent of the computers that were part of the operation were cleaned of infection.<\/p>\n

However, there were those that said Microsoft’s actions were nothing more than a clever PR stunt, and that they had no real impact on the threat landscape.<\/p>\n

In a recent blog post, Damballa’s CTO, Brian Foster, says that botnet takedowns often don\\’t meet their stated goals of reducing the risk of infection online. In fact, he says, it’s something else entirely.<\/p>\n

“It makes me wonder if these efforts are for the sole purpose of garnering press, because they certainly don’t have any lasting impact on end user safety,” Foster wrote.<\/p>\n

Shortcomings noted<\/p>\n

Supporting his theories, Foster listed three reasons that botnet takedowns are ineffective. To start, he noted, most takedowns are done haphazardly. In most cases, only a small percentage of the command and control servers for a given botnet ware grabbed by the do-gooders. Thus, while it makes good coverage to show that 24 percent of a botnet has been taken offline, “[it] still leaves 76 percent of it active. The attacker still has a strong foothold and can easily recover.”<\/p>\n

Further, takedowns do not account for secondary communication methods such as P2P channels, or domain generation algorithms (DGA) that may be used by malware.<\/p>\n

\"\"<\/a><\/p>\n

“We looked at 43 pieces of malware and discovered that three of them had secondary callback methods. This means that for at least three of the botnets, security researchers need to take additional steps to make sure the botnet is disabled,\\” Foster said.<\/p>\n

Finally, he noted, the takedowns themselves do not result in the arrest of the person(s) behind the botnet itself. Unless the attacker has been arrested, it doesn\\’t prevent them from starting anew and building a different botnet.<\/p>\n

“Bottom line: If security researchers and their organizations are doing takedowns for marketing reasons, then it doesnt matter how they go about it. But if they are doing takedowns to truly limit Internet abuse and protect end users, then there needs to be a more thoughtful approach than what has typically been used by the industry. Otherwise, the bots will once again veer their ugly heads,” Foster concluded.<\/p>\n

via Botnet busts more for stunts than security, expert says | PCWorld<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Microsoft and Symantec made headlines in September and in the summer by taking down major botnets. Now, one expert calls […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[6,7,10],"tags":[142,655],"class_list":["post-4117","post","type-post","status-publish","format-standard","hentry","category-networking","category-security","category-technology","tag-botnet","tag-malware"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-14p","jetpack-related-posts":[{"id":8771,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/12\/07\/microsoft-global-law-enforcement-agencies-disrupt-dorkbot-botnet\/","url_meta":{"origin":4117,"position":0},"title":"Microsoft, global law enforcement agencies disrupt Dorkbot botnet","author":"NCCT","date":"December 7, 2015","format":false,"excerpt":"By Shawn Knight | Techspot Microsoft, in cooperation with a number of law enforcement agencies around the world, managed to disrupt a botnet that\u2019s infected over a million PCs across more than 190 countries. First discovered in April 2011, Dorkbot is an IRC-based botnet that has been commercialized by its\u2026","rel":"","context":"In "Networking"","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5943,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/11\/facebook-helped-shut-down-lecpetex-botnet-responsible-for-turning-pcs-into-litecoin-miners\/","url_meta":{"origin":4117,"position":1},"title":"Facebook helped shut down ‘Lecpetex’ botnet responsible for turning PCs into Litecoin miners","author":"NCCT","date":"July 11, 2014","format":false,"excerpt":"Law enforcement officials in Greece recently arrested two people last week that they believe were responsible for operating a botnet called Lecpetex. The hackers reportedly infiltrated up to 50,000 Facebook accounts and some 250,000 computer which were used to mine Litecoins, a popular alternative virtual currency similar to Bitcoins. As\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8923,"url":"https:\/\/nccomputertech.com\/techtalk\/2016\/05\/17\/this-botnet-has-infected-nearly-a-million-devices-since-2014\/","url_meta":{"origin":4117,"position":2},"title":"This botnet has infected nearly a million devices since 2014","author":"NCCT","date":"May 17, 2016","format":false,"excerpt":"By Shawn Knight | TechSpot One of the many ways that cybercriminals earn income is through affiliate advertising programs like Google\u2019s AdSense. Rather than generate traffic through content creation, hackers figure out ways to trick advertising platforms into thinking a partner is sending them legitimate traffic. Not knowing they're being\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8453,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/07\/07\/zeusvm-malware-building-tool-leak-may-cause-botnet-surge\/","url_meta":{"origin":4117,"position":3},"title":"ZeusVM malware building tool leak may cause botnet surge","author":"NCCT","date":"July 7, 2015","format":false,"excerpt":"The Internet could see a new wave of botnets based on the ZeusVM banking Trojan after the tools needed to build and customize the malware program were published online for free. The source code for the builder and control panel of ZeusVM version 2.0.0.0 was leaked sometime in June, according\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5916,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/08\/attack-on-dailymotion-redirected-visitors-to-exploits\/","url_meta":{"origin":4117,"position":4},"title":"Attack on Dailymotion redirected visitors to exploits","author":"NCCT","date":"July 8, 2014","format":false,"excerpt":"Attackers injected malicious code into Dailymotion.com, a popular video sharing website, and redirected visitors to Web-based exploits that installed malware. The rogue code consisted of an iframe that appeared on Dailymotion on June 28, researchers from security vendor Symantec said Thursday in a blog post. The iframe redirected browsers to\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5750,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/11\/one-click-test-finds-gameover-zeus-infections-on-pcs\/","url_meta":{"origin":4117,"position":5},"title":"One-click test finds Gameover Zeus infections on PCs","author":"NCCT","date":"June 11, 2014","format":false,"excerpt":"Users can test by simply visiting a Web page if their computers have been infected with Gameover Zeus, a sophisticated online banking Trojan that law enforcement officers temporarily disrupted last week. The one-click test was developed by security researchers from antivirus vendor F-Secure and takes advantage of the malware\u2019s aggressive\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/4117","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=4117"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/4117\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=4117"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=4117"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=4117"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}