Botnet takedown sets legal, not technical, precedent

April 21, 2011
Cyber Security, FedCyber Wire
No Comment

via Network World

In the security industry, researchers have often been able to infiltrate botnets. Yet, the next step has always been a big question mark.

Now, defenders may have a new slate of options. The takedown of the Coreflood botnet marks the start of more aggressive stance against botnets, say security experts. Last week, the U.S. Department of Justice obtained a temporary restraining order forcing registrars to reroute requests from infected computers, not to Coreflood’s command-and-control servers, but to a substitute server managed by a non-profit group. Under the judge’s order, the sinkhole server can issue commands to prevent the bot agents from carrying out normal operations.

The result has been a drop of several orders of magnitude in the activity from the botnet, says Don Jackson, director of threat intelligence for Dell SecureWorks.

“Compared to what it used to be like – it is a pin drop compared to the symphony of activity that was going on before,” Jackson says. “A bot now receives the pause command and it stays quiet. It does not reach out at the normal intervals. When it does, it just receives a pause command, which it only does at reboot.”

In the recent past, fear of causing problems on infected computers prevented security researchers from taking any aggressive measures. In 2008, for example, researchers infiltrated the Kracken botnet and could have issued commands to compromised PCs to uninstall the software, but decided against the controversial move because of liability concerns.

“In all seriousness, cleansing the systems would probably help 99 percent of the infected user base,” David Endler, the director of TippingPoint’s researchers, stated at the time. “It’s just the 1 percent of corner cases that scares me from a corporate liability standpoint.”

Continued here.