This article can also be found in the Premium Editorial Download "Information Security magazine: Why privileged account management is critical to today's data security."
Download it now to read this article plus other related content.
When the FTC shut down California-based ISP Pricewert in June, it was only a temporary victory for the U.S. government in the war on cybercrime. Still, the action signaled an important notice to cybercriminals around the world: the Feds are watching.
The shutdown of Pricewert, also known as 3FN.net and APS Telecom, occurred on June 5 and spam and phishing campaigns dipped for several days, according to several antispam vendors. But while the ISP went dark, disrupting one of the largest and most active spam botnets known as Cutwail, the blow to cybercriminals was short lived at best. Experts say those in control of the command-and-control servers likely had a contingency plan in place, acting quickly to regain control of their zombie computers to resume spamming runs and other more nefarious activities.
"What happens is you take out one of the big boys and somebody will take over those customers and start spamming for them," says Matt Sergeant, senior antispam technologist for Symantec's MessageLabs.
Despite the ISP shutdown, global spam levels went unchanged in June at 90.4% of all email, according to statistics provided by MessageLabs, which tracks global spam levels. Spam from botnets accounted for 83.2 percent of all spam in June.
Some say the 3FN.net shutdown calls into question the ability of law enforcement to have a major impact on cybersecurity and of the private sector to effectively police itself. Short-term gains were made late last year when two upstream providers shut down Web hosting service provider McColo, which was notorious for hosting botnet command-and-control servers. ICANN also took action, de-accrediting ISP EstDomains. Several spam bots were disrupted, but months later they either recovered or were replaced by other botnets.
The problem is that the cost to rent a botnet for a single spam campaign is ridiculously cheap, Sergeant says. It takes about $10 to send 1 million spam email messages.
Still experts say the shutdowns are significant because they send a signal to cybercriminals that governments and those in the private sector are taking illegal activity seriously. They also disrupt other cybercriminal activities. Investigators discovered websites serving child pornography, malware-laden websites used to conduct drive-by attacks and malicious traffic identified as part of click-fraud campaigns. Ultimately, the shutdown increases costs for those who control botnets by interrupting their business activities, says Pete Lindstrom, director of research at Spire Security.
"The value in this is in setting the precedent and making sure that the message is out there that folks doing the wrong thing can be caught and they might be punished," he says. "It's not ever going to reduce the amount of spam or significantly reduce the number of botnets. It's almost impossible."
But perhaps the next step is to figure out a way to disinfect zombie computers without trampling on a victim's privacy. The technology is available, but it's been controversial. Last year, researchers at TippingPoint discovered a way to issue whatever commands they chose to the thousands of bots in the Kraken arsenal, including the ability to order them to self destruct. The possible legal, ethical and technical issues forced them to resist action.
Surely, the security industry will continue to innovate, developing new defenses and services that disrupt cybercriminals. Companies will continue to invest in new security technologies just as cybercriminals will continue to be one step ahead. In other words, this cat-and-mouse game isn't going away any time soon, says Mary Landesman, a senior security researcher at Web security services vendor ScanSafe.
"When the cost of doing business with criminals is higher than the cost of doing business legitimately," she said, "then they'll start doing business legitimately."
This was first published in July 2009