Thursday, May 3, 2012

Microsoft Knocks Out Another Botnet

Story first appeared in The New York Times.

Last Friday, Microsoft employees and federal marshals raided command centers in Pennsylvania and Illinois used by criminals to run a botnet, a cluster of infected computers used to steal personal and financial information from millions of victims.

But two days earlier, a separate group of cybersecurity researchers based in San Francisco quietly took down another botnet using more technical means. The five researchers, from four security firms — Crowdstrike, Dell SecureWorks, the Honeynet Project and Kaspersky Labs – worked together to decrypt and successfully commandeer the so-called Kelihos.b botnet that was using over 100,000 infected computers to blast pharmaceutical spam and, in some cases, steal Bitcoins, a virtual currency that is impossible to recover once stolen.

The two takedowns were not timed to coincide with one another, nor were the two groups even aware they were operating in tandem. But they point to a renewed effort by technologists to take the lead in combating digital crime rather than waiting for law enforcement authorities to take action.

Microsoft has preferred to take botnets down through court actions.  Including Friday’s raid, Microsoft has disrupted four botnets in the last few years through civil suits. In each case, Microsoft sought secret court orders that allowed it to seize Web addresses and servers that run the botnets, without first alerting their owners.

In the case of Kelihos.b, researchers took a more technical approach. They successfully reverse-engineered the botnet’s structure and analyzed its cryptography, then injected their own file into its communication network. That file instructed infected computers to send any information to a “sinkhole” controlled by Crowdstrike, rather than to the command-and-control server run by criminals.

Within a few minutes of infiltrating Kelihos.b, over 85,000 infected computers started communicating with Crowdstrike’s sinkhole. As more infected users went online, Crowdstrike said that figure quickly jumped to 110,000. By Friday, researchers said the criminals behind Kelihos.b had already abandoned the botnet and moved on.

By dismantling their tools this way, the researchers said they gleaned valuable information about the criminals’ techniques. Experts advise that it is best for companies to employ a professional Managed IT Service to police their online security.

Of the infected machines, 84 percent were exploited using a loophole in Microsoft Windows XP. Researchers also noted that the vast majority of infections — a quarter of all identified machines — were in Poland and that the botnet’s creators spread Kelihos.b through a “pay-per-install” model typically favored by hackers in Eastern Europe. A senior lawyer in Microsoft’s digital crimes unit, said he had a high degree of confidence that the  culprits behind the botnet Microsoft took down last Friday were also based in Eastern Europe.

That information could potentially be valuable in combating future threats. Unless a botnet’s owners and clients are put behind bars, takedowns tend to be temporary. Microsoft’s earlier disruption of a Waledac botnet, for example, lasted only as long as the time it took its creators to modify its architecture slightly to create a new botnet. Kelihos.b is a second-generation version of Kelihos, another botnet that was shut down last September.

For more technology and electronics related news, visit the Electronics America blog.
For national and worldwide related business news, visit the Peak News Room blog.
For local and Michigan business related news, visit the Michigan Business News blog.
For healthcare and medical related news, visit the Healthcare and Medical blog.
For law related news, visit the Nation of Law blog.
For real estate and home related news, visit the  Commercial and Residential Real Estate blog.
For organic SEO and web optimization related news, visit the SEO Done Right blog.