Taking down botnets is good / taking down botnets is bad

  • Article

Did you ever get the feeling that whenever you read about security topics, you can get opposite viewpoints about the same events?

Take shutting down botnets.  To most people, shutting them down is a victory against spam or malware or cyber crime.  When security researchers do it, we all cheer a little bit (the cynical ones huff and say that it’s a short lived victory that won’t make any long term difference – don’t they know that cynical pessimists don’t live as long?).  It just goes to show that we can make a difference in the fight against abuse.

From Computerworld:

Microsoft Tuesday said the coordinated take-down of the Rustock botnet and follow-up efforts had purged the malware from over half of the PCs once controlled by Russian hackers.

"This shows that disruptive action [against botnets] is viable and possible," said Richard Boscovich, a senior attorney with Microsoft's Digital Crime Unit.

"Once you start taking apart the infrastructure of botnets, you drive up the cost of [botnet gangs] doing business," Boscovich added in an interview Monday. "Disruptive action is just as good as trying to arrest someone."

"The minute you take down Rustock, what does that do to those who want to send spam?" Boscovich asked. "They have to find other botnets. But if you're a botnet herder, and you just saw Rustock go down -- with years of work coding and planting malware and maintaining the botnet -- you're going to charge more. And that's an impact on spammers' cost analysis, as it becomes more and more expensive to send out spam."

image

Well, that’s a relief.  Taking down botnets disrupts spammers’ cost model and that is one of the major impediments to their financial success.

But the flip side to this botnet story is that all the good news really is bad news in disguise.  Shutting down botnets just means that the criminals have moved onto something else even more lucrative, dangerous, and tougher to disrupt.  All Spammed Up has some commentary:

In what feels like a ‘why did they kick the hornets’ nest?’ moment, the Cisco SIO report explains how, in the past year, the face of global cybercrime has morphed into something different, and quite possibly, more dangerous.  “Starting in 2010 and continuing into 2011, the criminal ecosystem has been changing dramatically. Law enforcement authorities and security and industry organizations worldwide have been collaborating to shut down or limit the largest spam-sending botnets and their associates. SpamIt, a large spam-sending affiliate network, ceased operations in October 2010 after its database was leaked and Russian police pressed charges against its owner. Major botnets were severely curtailed or even shut down, including Rustock, Bredolab, and Mega-D.”

The end result? “By disrupting the financial and technical business models of key cartels,” Cisco SIO reports, “threat volumes have declined in favor of more lucrative activities.” … in its place the law enforcement community has established a new despot: the smarter, more focused scammer!

Reading this, I get depressed.  It’s out of the frying pan and into the fire.  By shutting down botnets we’ve just make it harder to go after criminals because they have evolved to hide their activities better than before.

It’s a double-edged sword. Spammers are hijacking legitimate accounts because they cannot send from botnets anymore. They aren’t sending anywhere near as much spam because they got bored and moved onto spear phishing which doesn’t depend on sending large amounts of volume.

Does this imply that we shouldn’t have gone after botnets?  The article doesn’t say that but it is the conclusion I sure draw from it.

This question gets muddled if we start to compare it to real life.  Since the Sept 11 attacks in the United States, more and more security procedures have been tossed onto travelers.  We have to go through long screening.  We have to take off our shoes.  We have to toss all of our liquid.  We have to go through body scanners. It’s all a major pain!

Yet ironically, the reason that we have to go through all of this is because people looking to take down airliners have been forced to hiding bombs in their shoes, in liquid containers and in their underwear.  In other words, we all have been inconvenienced but so have they and so in order to evade security procedures, extremists have shifted their tactics (we can leave aside the debate on the efficacy of the TSA to another time).

At what point do the actions of security researchers outweigh the benefits?  Will we get to the point where we say “Hmm, maybe we shouldn’t clamp down on this because the next thing could be worse” ?  I somehow can’t see that ever happening.

But I don’t like removing my shoes at the airport, either.