There are a number of sources talking about the takedown of the Mariposa botnet, here are a few of the good ones:
- The Associated Press details the story and talks about the technical aspects of the takedown.
- Boing Boing only has an excerpt. Nothing too detailed.
- Panda Labs, who assisted in the disruption, has their own blog about their participation and the actions that they took.
- Symantec adds something to the discussion with their analysis on the chief piece of malware in the botnets (W32.Pilleuz, aka Win32/Rimecud.R)
- Gary Warner, over at the University of Alabama, has a great discussion on botnets. He urges the anti-botnet community to move from a model of taking botnets with technology to taking down spammers within the legal framework.
In case you haven’t been reading through the security space lately and mine is the only blog you read, here’s the 411 rundown: Spanish authorities, working with researchers from Panda Labs, Defence Intelligence and a couple of other educational institutions, took down the Mariposa botnet (Mariposa is the Spanish word for “butterfly”). The Mariposa botnet is an absolutely enormous with around 12 million (!) nodes doing its bidding. It was involved in things like credit card phishing and identity fraud.
Yet the thing about the Mariposa botnet was not its sophistication, but rather its lack of sophistication of the people running it. It wasn’t a bunch of cybercrooks in Eastern Europe running it, but everyday ham-and-eggers like you and me. To be sure, the infrastructure of Mariposa was sophisticated with VPN traffic and hiding behind other drones, but what ultimately led to its downfall was one of its operators making a mistake. In December, the botnet was knocked offline and the people running it weren’t making money. Driven by hubris, one operator attempted to regain control of it – by connecting to it via his home computer. That was his critical mistake; he sent a flood of DOS traffic to Defence Intelligence, the Canada-based organization responsible for assisting in taking it offline. However, it was this direct connection that left a trail to him and allowed authorities in Spain the chance to move in and make the arrest.
The people behind it were not tech-heavy hackers, but instead were cyber criminals who outsourced most of the work in an attempt to move to crime online.
Is such a takedown effective? Here’s Gary Warner’s take:
Those of you have heard me speak in person know that I believe the answer to these botnets and their continued survival must be the Criminal Justice process. When McColo was shut down (see Analyzing the Aftermath of the McColo Shutdown or Brian Krebs' Major Source of Online Scams and Spams Knocked Offline) spam had a significant world-wide drop in volume, but it rebounded. Why? Because no bad guys went to jail.
Our friends at FireEye are doing amazing botnet work (see their blog @ FireEye Malware Intelligence Lab, but without convictions, even the successful botnet takedowns, like their work on Smashing the Mega-D/Ozdok Botnet eventually rebound.
Cautions are already being expressed as a result of the Waledac take-down, that by using TECHNOLOGY to do the takedowns instead of CRIMINAL JUSTICE APPROACHES that we are just helping to rapidly evolve the capabilities of the various cyber criminals who make their living through spam.
We have to move from DISABLING the C&C networks, to MONITORING the C&C networks. Bad guys need to stop worrying about having to lease new servers, and start worrying about the long arm of the law knocking at their door.
My own approach is that the fight against spammers is a multi-pronged approach. No one company really has a handle on it and instead a combination of techniques is required. In no particular order:
- Vendors must build software that is secure.
- Users must make sure that their software is up to date with latest patches.
- Users must use security software.
- Anti-abuse technology (spam filters, corporate firewalls) must be effective to disrupt the spammers’ cost models.
- Law enforcement must move to take down cyber criminals.
- Governments must pass laws clearly defining and/or updating laws surrounding electronic abuse.
- Spammer infrastructure must be disrupted.
- Organizations need to monitor and mitigate abuse, reactively and proactively.
So, realistically, advocating one solution over another has its merits but we are still a long ways away from stamping out abuse. If spammers can hit users with different types of threats (Black SEO, rogue A/V, spam, DOS attacks, etc), then anti-abuse proponents must similarly have a large arrow full of quivers with which they can use to strike back.