Frank DENIS random thoughts.

Taking down botnets is not ineffective

Antivirus vendors typically try to protect their customers from known infections, leaving everybody else at risk.

Other companies and individual researchers are actually doing way more than reverse engineering samples. They also spend a tremendous amount of time gathering intelligence, and understanding how each wave of malware works behind the scenes.

More importantly, they also coordinate with a lot of different actors to take down botnets. This has a huge and direct impact over way more people than any security company’s customers base.

Damballa is a well respected company, doing awesome and disruptive research. Their models are very effective and uncovered major botnets.

They recently wrote a surprising blog post: why botnets takedown are ineffective.

The gist is that botnets are never totally taken down. They can be weakened, but as long as they still have a way to communicate with a C&C, they can grow again and survive forever. And many pieces of malware have more than one protocol to communicate.

So, are all these efforts totally worthless?

Similar statements have been made for a long time regarding antivirus software.

New malware samples are rarely detected by antivirus software when they come out. Packers still work. Once antiviruses start raising an alarm, it’s already too late. The malware has already been spreading everywhere for quite some time and a new version is round the corner. It’s a cat and mouse game, and malware is already ahead.

Sandboxes are very effective, but once again, when they start triggering an alert, the infection already began and is unlikely to stop just because sandboxes detected suspicious network activity. Something has to be done with these reports. Such as, taking down the targets of this suspicious network activity.

No security products can permanently block a threat. And this is not restricted to network security.

It’s all about raising the bar.

It is true that taking down a botnet doesn’t arrest malware actors, even though cooperating with registrars and hosting companies can eventually lead to that.

However “starting a botnet from scratch” has a cost. Just keeping a botnet alive has a cost.

If nothing is ever interfering, if the botnet infrastructure can be used forever without any troubles, the cost is low, and the damages are potentially very high.

Shutting down botnets, even partially, makes the entry price higher. Building a botnet currently requires some knowledge, some money and some underground connections. The bar is not very high, but any efforts to make it higher helpers a little bit to control the massive amount of fraud currently going on over the Internet.

Keep taking down botnets. Keep up the good work. You know who you are.