Three Reasons Why Botnet Takedowns are Ineffective

There’s been a lot of press coverage lately about botnet takedowns, especially those by Microsoft and Symantec. While we at Damballa are all for reducing the risk of infection on the Web, the fact of the matter is, these takedowns don’t often achieve that goal. It makes me wonder if these efforts are for the sole purpose of garnering press, because they certainly don’t have any lasting impact on end user safety. Here are three reasons why recent botnet takedowns have been largely ineffective.

  1. The organizations performing botnet takedowns do so in a haphazard manner. To start, they grab only a small percentage of command-and-control domains that make up the botnet’s critical infrastructure. Taking down 24% of the botnet still leaves 76% of it active. The attacker still has a strong foothold and can easily recover. Furthermore, the organizations stomp on sinkholes that have already been established by other security researchers.
  2. The organizations taking down botnets do not account for secondary communication methods, such as peer-to-peer or domain generation algorithms (DGA) that may be used by the malware. We looked at 43 pieces of malware and discovered that three of them had secondary callback methods. This means that for at least three of the botnets, security researchers need to take additional steps to make sure the botnet is disabled. This is very important, because as more and more botnets are taken down (albeit haphazardly), attackers will increasingly use a secondary communication method.
  3. The takedowns did not result in the arrest of the malware actor. At the end of the day, it doesn’t matter how many domains are taken down or how many sinkholes researchers create. Unless the attacker is arrested, it doesn’t stop him/her from building a new botnet from scratch.

Bottom line: If security researchers and their organizations are doing takedowns for marketing reasons, then it doesn’t matter how they go about it. But if they are doing takedowns to truly limit Internet abuse and protect end users, then there needs to be a more thoughtful approach than what has typically been used by the industry. Otherwise, the bots will once again veer their ugly heads. At Damballa, we believe we have a process for taking down botnets that will truly limit abuse on the Internet. I’ll share that with you in my next blog post.


Brian Foster
CTO, Damballa

Tags: , ,