Botnet Takedowns – fun and good publicity, nothing more


For the past year or so the Kelihos botnet has been in the news after constant attempts to take it down. recently the ZeroAccess botnet has also been subject to similar publicity, but what do these efforts actually achieve? Not much.


ZeroAccess and Kelihos are what i like to refer to as “non-aggressive botnets”.  To me this simply means that the botnet takes a less aggressive stance toward generating income: usually by opting to mine bitcoins, perform click-fraud, or send spam, whilst renaming undetected to the user. These sorts of botnets tend to try and inconvenience the user as little as possible, so that they can hold onto the computer for as long as possible. If you compare this to the botnets that are encrypting users files and forcing them to buy them back, or stealing bank details and selling them to fraudsters, it suddenly looks a whole less damaging in the grand scheme of things.  


Now I’m not sure i remember the last time i heard a bot master say: “oh no, the security experts have ransacked my botnet, I must pack up shop and apply for a job at McDonald.” but I imagine it wasn’t recently. The fact is, taking down these large botnets run by career cyber-criminals only causes minor financial setbacks and does little justice for the victims. As we saw with Kelihos, the developer’s response was to come back each time with a new version of the bot which was more resistant to takedowns. Targeting the same botnets over and over is only likely to result in some new super-malware that is near impossible to sinkhole. Peer-to-peer botnets are usually very complex and a lot of work goes into them, why? To be sinkhole proof. When criminal groups are willing to put so much effort into avoiding sinkholing, it’s likely that at most they will change tactics, but never walk away. 


The main motivator in taking down these high profile botnets appears to be publicity. I salute the security researchers that are doing this, but I think when anti-virus companies are pouring time and money into taking down botnets that are not causing extensive harm to the user, the efforts are misguided. I’d like to see more efforts go into dealing with the ransomware operations that seem to be growing in popularity, dealing with the botnets that are supplying cardshops with fresh credit cards, or just taking antivirus software to the next level. 
Why Open Source Ransomware is Such a Problem

A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the antimalware industry, 46% is scarily high. Trying to prove a point, help me out Twitter. Is open source ransomware helping …

Mapping Mirai: A Botnet Case Study

Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on OVH a few days later. Although Mirai isn’t even close to …

Dridex Returns to the UK With Updated TTPs

With the exception of a few unconfirmed reports of Dridex targeting Baltic countries (which doesn’t make much sense economically), infection campaigns have ceased since mid August when Dridex briefly resumed spreading to propagate multiple new botnets aimed at Switzerland. This morning a friend of mine, Liam, reported receiving a malicious email which unusually didn’t …