MIAMI -- Security research teams monitoring the relative strength and activity of some of the world's largest botnets are confined by legal restraints making them virtually powerless to stop them, according to a researcher at Kaspersky
The botnet ecosystem is flourishing as a result of ineffective measures being undertaken by security researchers to get them shut down, Vitaly Kamluk, chief security expert at Kaspersky, told hundreds of incident response team members, Wednesday, at the Forum of Incident Response and Security Teams (FIRST) Conference 2010. Kamluk painted a bleak picture of the rising sophistication of botnets and the underground business environment that fuels them.
"We have to do more and more on the technical side," Kamluk said. "We have to introduce more technical solutions to break the loop and destroy the infrastructures that make the malware usable."
Kamluk explained how cybercriminals have undertaken measures to oversee deal making between the botnet owners and the users who are renting them out. A guarantor or mediator, who typically is the owner of an established Web forum for cybercriminal activity, oversees deals and gets a cut of the action. The goal is to build a level of trust between the two and rule out cheaters who don't pay for the botnet services, he said.
"Guarantors kind of have respect and a profile," Kamluk said. "They're more trusted than a newly registered person on the forum and they provide the reliability of the deal."
The underlying botnet technologies and the underground market are a cycle of activity that needs to be broken, before it grows out of control, Kamluk said. The technology is available to cut off command and control capabilities and sanitize infected machines that makeup a botnet. But some experts question the ethics of the activity. Legally, court judges want to know who is liable for the action in the event something goes wrong. And since the activity involves similar actions that cybercriminals undertake to infect machines, it's difficult to determine cybercriminal activity from activity undertaken by security teams. Legal efforts to take out rogue ISPs hosting botnet and other nefarious activity show only limited success.
In the case of Gumblar, an FTP password stealing Trojan that spreads like a botnet, infecting up to 12,000 Web servers without human interaction, researchers have found a backdoor that would essentially help them sanitize Gumblar infected servers making it unusable.
"It would take us five minutes to clean 12,000 Web servers, but this is unauthorized and not legal so we don't do it," Kamluk said.
Botnet expert Jose Nazario of Arbor Networks painted a similar bleak outlook about botnets designed to carry out denial-of-service (DoS) attacks. The botnets are controlled by three or four different groups and the cost of blocking and investigating them is continually rising, Nazario said.
"The challenge is serious and we don't have a very good response," Nazario said in a presentation to FIRST attendees. "The window is wide open for the attacker to start attacking when he or she wants to."
Conficker, a well-known quickly spreading worm, is believed to have infected more than 7 million machines. Research teams continue to block its command and control lines. Torpig or Sinowal, a botnet that steals banking credentials has a sophisticated algorithm using search trends and other methods to determine a drive-by-download domain. As a result, it is only being intermittently blocked by trying to find the domain names that it uses.
"The burden is now on us as defenders to try and reverse engineer and manage this in the domain name space," Nazario said.