Zombie botnets: Why some crime networks refuse to die
- 20 January 2014
- From the section Technology
When cyber criminals are arrested it usually means the end of their profiting from spam, viruses and stolen data. Once down, they stay down.
But some parts of the cyber crime world are much harder to stamp out. Like zombies they do not seem to know they are supposed to be dead, and keep coming back again and again to cause even more trouble.
In particular, botnets - networks of hijacked computers - exhibit this zombie-like ability to lurch back into life, despite a significant number of victories against these crime networks over the past year.
In 2013, big botnets called Citadel, ZeroAccess, Kelihos, Zeus, 3322, Virut, SpyEye, Bamital and Cutwail were dismantled and disrupted by "the good guys". Many other smaller networks also suffered significant damage thanks to the efforts of security researchers and police forces.
Botnets have become the standard tool of hi-tech criminals; their controllers plunder compromised machines for saleable data, using them as launch platforms for spam and phishing attacks, or to target websites with huge amounts of data.
Some of the bigger botnets are made up of millions of machines and estimates suggest 5% to 10% of all domestic computers are enrolled on these criminal networks.
So, taking out these networks should be a good thing.
Not so fast, says Prof Michel van Eeten from the Delft University of Technology in the Netherlands, who studies botnets and how to manage them.
"The problem of 'undead' botnets is well known," he says.
"There are a variety of ways in which take-down efforts leave remnants behind that live on and can potentially be reactivated."
One of the most famous examples of this is the Conficker botnet, which was at its most rampant in 2008.
However, millions of machines are still known to be infected with the malicious software that enrolled them in this network.
Security researcher Robert Stucke found out for himself how long botnets could live on.
Typically, he says, the targeted PCs (called "zombies" in the early days) report to a web domain set up to act as a command and control server.
Big botnets have many different domains controlling separate segments of the network.
The domains that botnets use are the same, in technical terms, as the domains that organisations such as the BBC use to host their webpages.
When a botnet is taken down, some of those command-and-control domains are seized, to try to cut off the controller from his network.
As an exercise, Mr Stucke bought up some domains that used to be part of some big botnets. They are easy to find because, once known, they are listed as malicious and widely shared so large companies can block access.
Mr Stucke spent about $6 (£3.60) on a few dozen domains. Once he had control, he monitored the traffic and found some supposedly dead botnets were still very much alive.
More than 25,000 machines regularly reported into those supposedly dead domains, he said, adding it was sometimes hard for him to manage the amount of data turning up. Some merely reported their presence but others surrendered potentially saleable information.
"If the domain expires and anyone can re-register it and take control of the botnet, it seems to be a waste of time taking down the botnet in the first place," he said.
'Involve the police'
Other security researchers have similar worries.
"Those zombie parts are often left flailing around," says former cyber cop Adrian Culley, now a technical consultant at security firm Damballa.
"Even though the botnet has been taken down they do not know that, and they will constantly try to contact their maker."
Targeting domains can be a good way to disrupt a botnet, he adds, but the hard part is cleaning up those zombie machines and stopping it for good.
The best way to make sure a botnet stays dead is to involve the police, says Dr Brett Stone-Gross, a researcher for Dell Secure Works who helped stop some big botnets in 2013.
"What happens after the takedown depends on what botnet it was and other factors such as whether law enforcement action was involved," he says.
Arrests and the publicity surrounding them had a "much more significant impact on permanently taking down a botnet", he adds.
The involvement of the police implies that an investigation into who is behind a botnet will continue.
And the more is known about a particular crime network and how it arose, the more likely it is that security firms will share information on how to spot the machines involved, or the malware that can be used to recruit new victims.
Without that attention botnets can swiftly crawl back into life, says Dr Stone-Gross.
"Unfortunately criminals have access to a lot of resources and are often able to rebuild these networks from scratch."