Microsoft: No botnet is indestructible
'Nothing is impossible,' says Microsoft attorney, countering claims that the TDL-4 botnet is untouchable
Computerworld - No botnet is invulnerable, a Microsoft lawyer involved with the Rustock takedown said, countering claims that another botnet was "practically indestructible."
"If someone says that a botnet is indestructible, they are not being very creative legally or technically," Richard Boscovich, a senior attorney with Microsoft's Digital Crime Unit said Tuesday. "Nothing is impossible. That's a pretty high standard."
Instrumental in the effort that led to the seizure of Rustock's command-and-control servers in March, Boscovich said Microsoft's experience in takedowns of Waledac in early 2010 and of Coreflood and Rustock this year show that any botnet can be exterminated.
"To say that it can't be done underestimates the ability of the good guys," Boscovich said. "People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no.'"
Last week, Moscow-based Kaspersky Labs called the TDL-4 botnet "the most sophisticated threat today," and argued that it was "practically indestructible" because of its advanced encryption and use of a public peer-to-peer (P2P) network as a fallback communications channel for the instructions issued to infected PCs.
Takedowns like those of Waledac, Rustock and Coreflood have relied on seizing the primary command-and-control (C&C) servers, then somehow blocking the botnet's compromised computers from accessing alternate C&C domains for new instructions.
By doing both, takedowns decapitate the botnet, let researchers or authorities hijack the botnet, and prevent hackers from updating their malware or giving the bots new orders. That also gives users time to use antivirus software to clean their systems of the infections.
Kaspersky senior malware researcher Roel Schouwenberg said that TDL-4's use of P2P made the botnet an extremely tough nut.
"Any attempt to take down the regular C&Cs can effectively be circumvented by the TDL group by updating the list of C&Cs through the P2P network," Schouwenberg said last week. "The fact that TDL has two separate channels for communications will make any takedown very, very tough."
Boscovich disagreed, noting that the February 2010 takedown of Waledac successfully suppressed that botnet's P2P command channel.
"[Waledac] was a proof of concept that showed we are able to poison the peer-to-peer table of a botnet," Boscovich said.
"Each takedown is different, each one is complicated in its own way," said Boscovich. "Each one is going to be different, but that doesn't mean that there cannot be a way to do this with any botnet."
Alex Lanstein, a senior engineer with FireEye who worked with Microsoft on the Rustock takedown, said that the relationships Microsoft has built with others in the security field, with Internet service providers, and with government legal agencies like the U.S. Department of Justice and law enforcement were the most important factors in its ability to take down botnets, any botnets.
"It's the trust relationships Microsoft has created" that have led to successful takedowns, said Lanstein. "And I think [the technique] speaks to any malware infrastructure where some kind of data feed exists. It really, really works."
Those who disagree with Boscovich and Lanstein include not only Kaspersky's Schouwenberg, but also Joe Stewart, director of malware research at Dell SecureWorks and an internationally known botnet expert.
"I wouldn't say it's perfectly indestructible, but it is pretty much indestructible," Stewart said in an interview last week about TDL-4. "It does a very good job of maintaining itself."
But SecureWorks also acknowledged Microsoft's takedown chops, saying that its own statistics show that Rustock attacks have dropped tenfold since March.
"Since mid-March 2011, Dell SecureWorks' CTU [Counter Threat Unit] research team has seen a significant decline in the number of attempted Rustock attacks, and we do attribute it to the comprehensive efforts of Microsoft," a SecureWorks spokeswoman said Tuesday.
"With the Rustock takedown, Microsoft has built the framework for others to do the same," Lanstein said. "This is definitely not the last botnet we're going to go after."
He declined to name the next likely target, saying that doing so would tip Microsoft and FireEye's hand.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts