The Botnet Hunters

1 2 Page 2
Page 2 of 2

In a world where investigations can take months and years and the rewards are few, how does one measure success when it comes to hunting botnets? For guys like Weafer, the work has the obvious direct impact of enhancing products and helping customers. But for Santorelli and DiMino, the payoff is more personal.

"Personally, I love that feeling when you have when you've spotted a mistake a criminal has made," said Santorelli. "So much about IT security investigation is about turning over ten thousand little rocks looking to see what you can find underneath. When you spot a mistake a criminal has made, then as a group you realize: 'I've got ya.'

That feeling is still with him down the road, said Santorelli, through those long investigations. Even though after spotting that mistake there is still a lot of work to be done to identify the bad guy and get them caught, he said, realizing 6 months or a year down the line that this is the moment that will lead to an arrest and prosecution is like no other.

DiMino points to a volunteer collaboration effort formed earlier this year as the Conficker Working Group, an assembly of security industry professionals trying to contain the infamous Conficker worm, as one of the bigger rewards for him, and a good example of the progress that can be made when people work together.

Seeing several varied organizations with different strengths and goals quickly band together and plan a course of action was amazing, he noted. The CWG quickly grew and soon achieved worldwide involvement from some of the best people and organizations within information security.

"I think that was a sign of things to come in terms of how groups can work together when there is a controlled mission in mind," he said. "That was pretty groundbreaking event because it got a lot of security researcher organizations together in room and said:"We have a real threat here, what are we going to do about it?"

FireEye Versus Mega-D: One for the good guys

In November, researchers with a small security-products firm based in California managed to deliver a severe blow to a notorious spam botnet known as Mega-D, or Ozdok.

According to Atif Mushtaq, a security researcher with the FireEye, after detailed analysis of the botnet's inner workings, researchers decided that instead of playing a passive role, they would come forward and start working with third parties like ISPs and domain registrars to take it down. In a blog post on the FireEye web site, Mushtaq details how the research team worked in multiple directions simultaneously to work against all the fallback mechanisms so fast that bot herders wouldn't get a chance to counter react. As we go to print, all the major Mega-D command and control servers have been taken down.

According to tracking data from Message Labs Intelligence, which tracks global spam activity, FireEye's efforts were indeed worthwhile as activity from the botnet has significantly declined. Mega-D, according to Message Labs, has for over a year been among one of the top-ten active spambots. Now Mega-D's 'market share' has dropped to a mere fraction of a percent. It now barely registers as existing, with only a few spam seen each day, rather than thousands, said Message Labs officials.

Security researchers know it is unlikely that a botnet will ever be completely wiped out. But efforts like those of Fireeye can cripple a botnet to a point where it will be a long time before it is able to regain its former standing, if it ever does. DiMino, who said Shadowserver has done some joint research and collaboration with FireEye, looked at the win as more proof of why botnet hunters need to work together.

"It was good work on their part and certainly an effort that provided tangible results. While the jury is still out on the overall effect of this takedown, it's a great example of how a carefully coordinated and comprehensive plan can achieve success."

This story, "The Botnet Hunters" was originally published by CSO.


Copyright © 2009 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon