The Botnet Hunters

CSO - A self-proclaimed geek from the age of 14, Andre DiMino had always been interested in computers and networking. But it wasn't until he entered his professional life many years later that he became interested in the security side of that world.

"I was a system administrator for a fairly large network that experienced a significant hacking incident one weekend," said DiMino. "I became consumed with learning about the methods of attack, who might be involved, and where it came from. Right then, I became passionate about all aspects of security, as well as the various groups that carried out the attacks."

And today, in his forties, it is DiMino's interest in the dark side of security that consumes much of his free time. By day, DiMino is a professional digital forensic analyst. By night, he serves as director of an organization known as Shadowserver Foundation, a group of volunteers dedicated to sleuthing out cybercriminals and shutting them down.

DiMino, and another cofounder who is no longer part of the organization, launched Shadowserver in 2004 with the initial mission of tracking malicious activity online and finding some way to make it stop.

"We just kind of started chasing malware, chasing bots," said DiMino. "Mainly we were interested in understanding what malware did, where it went, how it was developed."

A good deal of their time was spent tracking malicious botnets, networks of compromised computers running software that is installed through virus or worms, without the owners' knowledge; these systems are then controlled remotely by a "bot master." They are used for various online crimes, including sending out spam, phishing, committing click fraud and launching denial-of-service (DDoS) attacks. Windows PCs are the typical target, although a Mac botnet was reported earlier this year.

Also see the interactive graphic What a Botnet Looks Like

Just five years ago, hunting botnets, said DiMino, was a much different game. The botnets were fairly straightforward, he said, and the primary method of communication was the IRC (Internet Relay Chat). DiMino and other volunteers were able to act like criminals by joining a botnet, watching its traffic to get an understanding of how it was architected and learn more its particular function. They found their efforts were worthwhile as they began contacting network hosts, alerting them that were supporting the botnets and seeing them shutdown.

"Things really started to snowball," said DiMino. "We decided it should be a service to the community to improve the safety of the internet. And we started to build a cross-section of security experts to help out."

Shadowserver now has ten of what DiMino called "carefully vetted" volunteers in several locations around the world. These cybercrime busters need to be of the utmost trustworthiness, he said, because the data which Shadowserver volunteers deal with is highly sensitive. And that is exactly what the bad guys want.