For the past year or so the Kelihos botnet has been in the news after constant attempts to take it down. recently the ZeroAccess botnet has also been subject to similar publicity, but what do these efforts actually achieve? Not much.
ZeroAccess and Kelihos are what i like to refer to as “non-aggressive botnets”. To me this simply means that the botnet takes a less aggressive stance toward generating income: usually by opting to mine bitcoins, perform click-fraud, or send spam, whilst renaming undetected to the user. These sorts of botnets tend to try and inconvenience the user as little as possible, so that they can hold onto the computer for as long as possible. If you compare this to the botnets that are encrypting users files and forcing them to buy them back, or stealing bank details and selling them to fraudsters, it suddenly looks a whole less damaging in the grand scheme of things.
Now I’m not sure i remember the last time i heard a bot master say: “oh no, the security experts have ransacked my botnet, I must pack up shop and apply for a job at McDonald.” but I imagine it wasn’t recently. The fact is, taking down these large botnets run by career cyber-criminals only causes minor financial setbacks and does little justice for the victims. As we saw with Kelihos, the developer’s response was to come back each time with a new version of the bot which was more resistant to takedowns. Targeting the same botnets over and over is only likely to result in some new super-malware that is near impossible to sinkhole. Peer-to-peer botnets are usually very complex and a lot of work goes into them, why? To be sinkhole proof. When criminal groups are willing to put so much effort into avoiding sinkholing, it’s likely that at most they will change tactics, but never walk away.
The main motivator in taking down these high profile botnets appears to be publicity. I salute the security researchers that are doing this, but I think when anti-virus companies are pouring time and money into taking down botnets that are not causing extensive harm to the user, the efforts are misguided. I’d like to see more efforts go into dealing with the ransomware operations that seem to be growing in popularity, dealing with the botnets that are supplying cardshops with fresh credit cards, or just taking antivirus software to the next level.