by Rik Ferguson

Kicking bot and taking names

Nov 10, 2010
Security Software

There has been much coverage recently of the enforcement activities undertaken by the Dutch High Tech Crime Unit in the Netherlands against 143 computers identified as Command & Control servers for the Bredolab botnet, and the subsequent arrest of a 27 year old Armenian man suspected of being the mastermind behind the botnet. Concerted action against botnets is always welcome in the fight against online crime; Bredolab was one of the bigger botnets out there and was being used as a service for hire by other criminals to distribute their own unrelated malware. It has functioned as a software distribution network for fake antivirus, for information-stealing malware such as ZeuS and for spam bots such as Pushdo. Coincidentally I attended InfoSecurity NL earlier this week and chatted with several local journalists about this story. By this time the initial coverage was done and they were beginning to consider the wider implications of activity such as this; did the Dutch authorities themselves break the law and what are the most effective means of taking down a botnet? The first question arises because of reports that the Dutch authorities took advantage of the Bredolab infrastructure to upload a program of their own to infected computers around the world. The purpose of the program was admittedly benign, it served to inform the next person to log in to the computer that it was infected and offer steps to help clean up, but it also doubtless broke the law in many different countries including the Computer Misuse Act in the UK. Not only that but even purportedly benign software can have serious unforeseen long-term consequences as the Morris worm (the first ever internet worm back in 1988 can demonstrate). It is also worth stopping to consider for a moment the effectiveness of such a tactic. The victim machines in question were already infected by Bredolab, Bredolab is known to distribute fake security software. Fake Security software fools its victims into installing and paying for bogus software by popping up messages telling them they are infected. See where I’m going with this? Surely there is every chance that the unfortunate victims of Bredolab feel they have already seen enough bogus pop-ups and will simply brush the warning aside as yet another scam. Not to mention that the machines infected by Bredolab may well also be members of other botnets, such as Zeus and Pushdo, at the same time as both have been known to be dropped by Bredolab. So what can we do, is all hope lost? Not entirely I would argue. The battles continue in a war that must be waged on several fronts; governments and international organisations such as the EU, OECD and UN need to provide a strong focus on the harmonisation of criminal law globally in the area of cybercrime, enabling more effective prosecution. Law enforcement agencies need to formalise multi-lateral agreements to tackle a crime that is truly trans-national. Internet Service Providers and domain registrars also have a key role to play. ISPs should be informing and assisting customers that they believe to be compromised (a trend which happily appears to be on the increase). They should also be terminating service to customers they believe to be acting maliciously. Domain Registrars should be demanding more effective forms of traceable identification at time of registration and bad actors should have their service suspended as soon as credible suspicion is raised. The security industry is already drawing valuable lessons from the levels of co-operation achieved among rivals during the fight against Confickerand hopefully this effective co-operation will continue and deepen. Initiatives must be financed on a national level to more effectively educate and inform citizens of the dangers posed by cybercrime and to encourage safer computing practices. Lastly the security industry must not rest on its laurels, we can take heart in past successes but we cannot rely on past technology alone. Innovation is the key to keeping up with and hopefully surpassing the techniques developed by the bad guys.