White hats bust history's biggest botnet

Security white hats have coordinated with law enforcement in a five year effort to torpedo a criminal botnet that enslaved some 4 million computers.

Researchers hostexploit.com’s Jart Armin and others from Team Cymru, SpamHous, Symantec and Trend Micro joined the FBI, NASA’s Office of Inspector General, Estonian police, and the Dutch National Police Agency and gathered intelligence on the monster DNS Changer botnet.

The researchers, under the title of the DNS Changer Working Group, led to the destruction of a sophisticated money-making Estonian business behind the botnet.

Their intelligence gathering predated 2005 and crossed dozens of countries, leading to the arrest of several Estonian business people and the disconnection of more than 100 command and control servers from US data centres.

The botnet consisted of infected machines which had browser Domain Name Server (DNS) settings changed to point to US-based command and control servers operated by a criminal business.

It generated cash by switching web advertisements on victim browsers, hijacking search results and installing malware. The ad revenue alone generated some $14 million in illicit fees.

A anonymous FBI agent described the botnet and the business behind it as having “a level of complexity that we haven’t seen before”.

On November 8, the FBI and Estonian police took down the botnet using evidence supplied by the private industry.

Two data centres were raided in New York and Chicago. An Internet Systems Consortium support officer for BIND was on hand to hot swap the botnet servers of which the 4 million victim machines relied on.

“He got on a plane upstate and replaced them with legitimate DNS,” Trend Micro and a key coordinator Paul Ferguson said. This move was required because infected computers that pointed to the DNS servers could have lost internet connectivity.

“[The new servers] began recording IP addresses of infected machines contacting them.”

Those logs provided a hit list of DNS Changer victims which will be supplied to local telcos who will contact each infected subscriber to help them reconfigure DNS settings and remove malware. The data will be compiled until mid next year under a court appointed custodial role given to the ICS.

“Fixing DNS settings could be tricky. You can’t just make an application tool for everyone,” Ferguson said

A common danger unites even the bitterest enemies

Online criminals can expect to face a stronger alliance of white hats and law enforcement.

Companies say the crime-fighting effort is unhindered by rivalry. Top researchers at Symantec and Trend Micro – rival companies that fight in an already saturated anti-virus market – say they ignore “marketing stuff” and work together to take down criminals.

Ferguson says they hold regular conference calls and share intelligence over closed community mailing lists.

“There are members of academia, ISPs, law enforcement working on these operations,” he said. “The mailing lists operate 24/7 ... I work daily with researchers at Symantec – we leave the marketing out of it and work together because the bad guys do”.

In the lead up to the take down of the DNS Changer botnet, participating white hats held conference calls up to twice a week to ensure that the four million victims of the botnet would not lose internet connection when the DNS servers were pulled.

Ferguson said he aims to meet each of the white hats in person before working on a case: “I like to meet them in person over a beer at conference ... nothing substitutes.”

Symantec’s managing director Craig Scroggie said the industry relied on such cooperation to help protect users who, after all, were their customers.

“It is an established practice,” Scroggie said. “If someone finds malware that another has not seen, they share it.”

He said the agreements were a formal process, adding that the security community has a common interest in combating and sharing information about online crime.

Copyright © SC Magazine, Australia