SAN FRANCISCO -- Coordinated law enforcement-driven botnet takedowns have become fairly common and maybe even a little boring, but for a crowd full of security professionals last week at RSA Conference 2013, seeing a botnet get its comeuppance in real time proved quite exciting.
You're destroying a business, and these people will not like that.
senior security researcher, Crowdstrike
Tillmann Werner, senior security researcher at Irvine, Calif.-based infosec defense vendor CrowdStrike Inc., dazzled attendees with a live demonstration of a peer-to-peer (P2P) botnet takeover.
The presentation highlight happened when Werner proceeded to fire off some code that was too small to be decipherable for most of the crowd. Instead, he switched his display to a map of the world, which served as a visual representation of the contact he had made with each infected machine. One red blip turned into five, which quickly turned into twenty.
The crowd responded with applause.
During his presentation, From the Drone Butcher's Cookbook: Live Demo of a P2P Botnet Takeover, Werner showed off many of the technical aspects behind the operation to attack the Kelihos botnet via the sinkholing technique. In essence, a botnet sinkhole replaces the communications between a botnet command center and its infected machines. This already complicated task multiplies in difficulty due to the P2P nature of Kelihos.
"We thought this botnet was challenging because it is peer-to-peer," Werner said. "With P2P botnets, this [sinkholing] is much more difficult because there is no central server."
Werner first demonstrated the previous versions of Kelihos and what happened after each was taken down. "Kelihos A" was disabled in September 2011 after it infected about 50,000 machines. "Kelihos B" was running about three weeks later, but was also eventually taken down in February 2012 after it had infected about 120,000 machines.
The version Werner smashed in his presentation -- "Kelihos C" -- was active in no less than a startling 20 minutes after the takedown of its predecessor. Werner estimated C had infected about 40,000 machines before being replaced by a version with minor changes in May 2012.
When asked by an attendee how each version of Kelihos was able to come online so quickly, Werner responded, "They bought installs from other criminal organization, and that's of course possible in no time."
While this repeated cycle of new life may seem to be deflating for law enforcement and other anti-botnet stakeholders, Werner said each botnet takedown still hits criminal organizations where they can be hurt the most: the wallet.
"They can do the same thing" repeatedly by recreating their botnets, Werner said, "But each time they do it, they have to spend more money."
Even when a strike against a botnet is successful, victory cannot be declared. Instead, infrastructure must be prepared to handle a retaliatory attack. "You're destroying a business, and these people will not like that," Werner said.
Even when the technical abilities and manpower are available for such an operation, there is still the matter of ensuring the strike is legal. Werner's demonstrated attack was coordinated with many different law enforcement and government organizations, including the FBI. Still, he told the crowd that such operations are undertaken with a risk-averse approach, meaning plenty of legal council is consulted before making any moves.
"I mean, if it's legal or illegal, that is not for me to decide," Werner said. "I would guess it's still legal, but it might put us in a difficult position."
As part of the cleanup effort after the attack, Internet service providers and CERTs were to be contacted so they could help deal with the residual infected machines. Microsoft will also provide detection capabilities as part of its antivirus suite, though in the case of the Kelihos B takedown, the same measures only reduced infections by 50%.
"We hope that this time we are more successful and reduce the number of infections dramatically so we can take down the sinkhole," Werner said.
View all of our RSA 2013 Conference coverage.