Earlier today Microsoft announced the takedown of the Nitol botnet and takeover of the 3322.org domain. However, if you are using the Damballa flow-based Detection Control, this was a non-event. Full disclosure – Cymbel partners with Damballa.
Gunter Ollman, Damballa’s CTO, today commented on Nitol and 3322.org, and the ramifications of the Microsoft takedown, which I will summarize.
First, Damballa has been tracking Nitol and the other 70 or so botnets leveraging 3322.org for quite some time. Therefore, as a Damballa user, any device on your network infected with Nitol, or the other 70 botnets leveraging 3322.org, would be identified by Damballa. Furthermore, if you were using Damballa’s blocking capabilities, those devices would be prevented from communicating with their malware’s Command & Control (C&C) servers.
Second, most of these 70+ botnets make use of “multiple C&C domain names distributed over multiple DNS providers. Botnet operators are only too aware of domain takedown orders from law enforcement, so they add a few layers of resilience to their C&C infrastructure to protect against that kind of disruption.” Therefore this takedown did not kill these botnets.
In closing, while botnet and DNS provider takedowns are interesting, they simply do not reduce an organization’s risk of data breaches. Damballa does!!
SC Magazine’s Dan Kaplan’s on The Hypocrisy of the zero-day exploit trade shows that enterprises can no longer rely on signature-based Detection Controls to mitigate the risks of confidential data breaches resulting from compromised devices.
I am surely not saying that signature-based IPS/IDS controls are dead, as you do want to detect and block known threats. However, IPS/IDS’s are surely no longer sufficient. They must be complemented by a behavior analysis Detection Control (flow and DNS analysis) as part of a redesigned Defense-in-Depth architecture.
You Can Never Really Get Rid of Botnets.
Gunter Ollmann, the Vice President of Research at Damballa, provides insight into botnets in general and specifically into the Kelihos botnet takedown.
What is lost in these disclosures is an appreciation of number of people and breadth of talent that is needed to build and operate a profitable criminal botnet business. Piatti and the dotFREE Group were embroiled in the complaint because they inadvertently provisioned the DNS with which the botnet was dependent upon. Other external observers and analysts of the Kelihos botnet believe it to be a relative of the much bigger and more damaging Waledac botnet, going as far as naming a Peter Severa as the mastermind between both botnets.
Botnets are a business. Like any successful business they have their own equivalents of financiers, architects, construction workers and even routes to market.
Past attempts to takedown botnets have focused on shutting down the servers that command the infected zombie computers. Given the agile nature of modern botnet design, the vast majority of attempts have failed. Microsoft’s pursuit of the human operators behind botnets such as Kelihos and Waledac are widely seen as the most viable technique for permanently shutting them down. But, even then, there are problems that still need to be addressed.
While taking down botnet servers is a worthy activity for companies like Microsoft, enterprises still must deal with finding and remediating compromised endpoints.
Looking for Infected Systems as Part of a Security Assessment. Looking for Infected Systems as Part of a Security Assessment. Lenny Seltzer describes techniques for identifying signs of malware or compromise in an enterprise setting.
Lenny mentions Damballa’s consultant-friendly licensing option, Damballa Failsafe. We partner with Seculert, who provides a cloud-based service for detecting botnet infected devices in the enterprise.
Boffins devise early-warning bot spotter • The Register.
Researchers at Texas A&M have written a paper proposing a method for Detecting Algorithmically Generated Malicious Domain Names. It focuses on detecting domain fluxing, a technique used by botnets such as Conficker.
The method uses techniques from signal detection theory and statistical learning to detect domain names generated from a variety of algorithms, including those based on pseudo-random strings, dictionary-based words, and words that are pronounceable but not in any dictionary. It has a 100-percent detection rate with no false positives when 500 domains are generated per top-level domain. When 50 domains are mapped to the same TLD, the 100-percent detection rate remains, but false positives jump to 15 percent.
Via SC Magazine article, a new commercial DDoS botnet has been discovered. IMDDOS is growing at a rate of 10,000 devices per day. Note that this is a commercial effort:
Literally anyone who can read or work with a Mandarin Chinese website can go onto their self-service portal, create an account and pick their victim of choice for a DDoS attack.
The botnet’s C&C domains, located in China, are used to push out instructions to infected bots to launch DDoS attacks against a list of targeted domains. Researchers are unsure of the price of IMDDOS attack services and do not know the actual domain names targeted by IMDDOS customers.
Full disclosure: While this article was “stimulated” by Damballa’s VP of Marketing, I still thought it was newsworthy. We partner with FireEye, a Damballa competitor.