Microsoft DCU — Strike Three. Now What?

Microsoft DCU recently announced (http://www.microsoft.com/en-us/news/press/2013/dec13/12-05zeroaccessbotnetpr.aspx) legal actions again the click-fraud component of the ZeroAccess (ZA) botnet. It is common knowledge in the security community that ZA uses a peer-to-peer (P2P) Command and Control (C&C) channel. That is, the botmaster can control and push updates (i.e., C&C commands, new malware, etc.) to the botnet via the P2P “overlay” network, obviating the need for centralized infrastructure that is more straightforward to disable. As with most botnets, ZA uses its infected hosts to make money, in this case by committing click-fraud. Needless to say, any meaningful action against the ZA botnet must disrupt the P2P communication channel.  Disabling the click-fraud component is trivially countered by the botmaster by simply pushing an updated binary over the P2P channel with fresh click-fraud configurations. This extensive legal work can be undone in a matter of hours.

To make matters worse, it appears that the takedown of the click-fraud component was incomplete. Even if ZeroAccess did not use a P2P C&C, this takedown still would have been insufficient. Figure 1 (left) shows the extended infrastructure generated by passive DNS analysis of the IP addresses (gray) and domains (black) MDCU targeted in their takedown. Figure 1 (right) shows the same infrastructure but shows which vertices were taken down by MDCU (green) and which were not (red). Approximately 62% of the infrastructure was not taken down. Even without updates being sent across the P2P channel, the botnet’s monetization was largely unaffected. Stay tuned for a future blog article detailing the lookup volumes to this infrastructure around the time of the takedown.

Figure 1: ZeroAccess click-fraud infrastructure (left) black: domains, gray: IPs (right) green: disabled by MDCU, red: not disabled by MDCU

Figure 1: ZeroAccess click-fraud infrastructure
(left) black: domains, gray: IPs
(right) green: disabled by MDCU, red: not disabled by MDCU

As Brett Stone-Gross et al. showed in their IEEE Security and Privacy paper (http://www.ieee-security.org/TC/SP2013/papers/4977a097.pdf), taking down a P2P botnet is anything but easy.

This is not the first time MDCU have failed in their efforts. Their action against one instance of the Zeus botnet seized control of domains that were already sinkholed by the ShadowServer Foundation and abuse.ch. Researchers from both White Hat organizations lost access to important sources of data around this particular threat due to MDCU’s actions. Despite this, the security community has made attempts to work with MDCU, as collaboration between security organizations is likely the best way to combat these kinds of global threats. Preliminary reports indicate that MDCU has stolen domains yet again. One case has been published (http://dnsamplificationattacks.blogspot.com/p/blog-page.html) and was considered “John Doe #2”, and the other can be inferred from reading the court order’s description that “John Doe #4” was also running a legitimate sinkhole operation.

This message does not seem to have been received. In Operation b70, MDCU took over the entire 3322.org zone, a Chinese dynamic DNS provider, in an effort to eliminate a series of threats, focusing in particular on the Nitol botnet. Microsoft not only failed to eliminate the abuse under this dynamic DNS provider but they also:

  1. served APT domain names, which were identified by other researchers, with tier-one professional DNS hosting infrastructure provided by a well known DNS vendor,
  2. created severe collateral damage to benign domain names served under the particular authority and finally,
  3. effectively broke important components of the DNS protocol (i.e., MX records), as pointed out by other security veterans in the field.

Yacin Nadji et al. in a recent paper in the 20th ACM Conference on Computer and Communications Security (http://www.cc.gatech.edu/~ynadji3/docs/pubs/rza-ccs2013.pdf) rigorously measured these recent takedown attempts. The research uses real world datasets from Damballa’s North American ISP visibility, DNS reputation information and malware traces from dynamic malware executions. The results disclosed in the paper show that MDCU’s actions had little impact and in many cases allowed malicious infrastructure to continue running unperturbed.

But simply calling out failures would be easy to do and is not productive for the broad security community. The paper also describes an algorithmic approach that allows any researcher to scientifically argue about two things, (1) whether a takedown action should be taken again a particular threat given DNS network-level and malware-level analyses and (2) if the action must be made, how successful the takedown would be and identify potential collateral damage.

MDCU has the potential to bring the security community together and clearly has the gumption to initiate takedown actions. However, the results have been divisive thus far. Their actions are often opposed to the security and law enforcement communities goals, simply because they do not stop the threats nor do they place people behind bars. Microsoft is known for supporting and contributing exceptional and rigorous computer science research, but the actions of the MDCU do not appear to be as thorough.

The security industry, academic researchers, and law enforcement need to come together in order to systematically and rigorously solve the problem of Internet abuse.  Doing it alone is unlikely to work.

 

Yacin Nadji
Ph.D. Candidate, Georgia Institute of Technology, GTISC.

Manos Antonakakis, Ph.D.
Chief Scientist, Damballa, Inc.

Tags: , , , ,