Microsoft: No botnet is indestructible

'Nothing is impossible,' says Microsoft attorney in counter to claims that the TDL-4 botnet is untouchable

No botnet is invulnerable, a Microsoft lawyer involved with the Rustock take-down said, countering claims that another botnet was "practically indestructible."

"If someone says that a botnet is indestructible, they are not being very creative legally or technically," Richard Boscovich, a senior attorney with Microsoft's Digital Crime Unit said Tuesday. "Nothing is impossible. That's a pretty high standard."

Instrumental in the effort that led to the seizure of Rustock's command-and-control servers in March, Boscovich said Microsoft's experience in take-downs of Waledac in early 2010 and of Coreflood and Rustock this year show that any botnet can be exterminated.

"To say that it can't be done underestimates the ability of the good guys," Boscovich said. "People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no.' "

Last week, Moscow-based Kaspersky Labs called the TDL-4 botnet "the most sophisticated threat today," and argued that it was "practically indestructible" because of its advanced encryption and use of a public peer-to-peer (P2P) network as a fall back communications channel for the instructions issued to infected PCs.

Take-downs like Waledac, Rustock and Coreflood have relied on seizing the primary command-and-control (C&C) servers, then somehow blocking the botnet's compromised computers from accessing alternate C&C domains for new instructions.

By doing both, take-downs decapitate the botnet, let researchers or authorities hijack the botnet, and prevent hackers from updating their malware or giving the bots new orders. That also gives users time to clean their systems of the infections with antivirus software.

Kaspersky senior malware researcher Roel Schouwenberg said that TDL-4's use of P2P made the botnet an extremely tough nut.

"Any attempt to take down the regular C&Cs can effectively be circumvented by the TDL group by updating the list of C&Cs through the P2P network," Schouwenberg said last week. "The fact that TDL has two separate channels for communications will make any take-down very, very tough."

Boscovich disagreed, noting that the February 2010 take-down of Waledac successfully suppressed that botnet's P2P command channel.

"[Waledac] was a proof of concept that showed we are able to poison the peer-to-peer table of a botnet," Boscovich said.

"Each take-down is different, each one is complicated in its own way," said Boscovich. "Each one is going to be different, but that doesn't mean that there cannot be a way to do this with any botnet."

Alex Lanstein, a senior engineer with FireEye who worked with Microsoft on the Rustock take-down, said that the relationships Microsoft has built with others in the security field, with Internet service providers, and with government legal agencies like the U.S. Department of Justice and law enforcement were the most important factors in its ability to take down botnets, any botnets.

"It's the trust relationships Microsoft has created," said Lanstein, that have led to successful take-downs. "And I think [the technique] speaks to any malware infrastructure where some kind of data feed exists. It really, really works."

Boscovich and Lanstein were opposed not only by Kaspersky's Schouwenberg, but also by Joe Stewart, director of malware research at Dell SecureWorks and an internationally known botnet expert.

"I wouldn't say it's perfectly indestructible, but it is pretty much indestructible," Stewart said in an interview last week about TDL-4. "It does a very good job of maintaining itself."

But SecureWorks also acknowledged Microsoft's take-down chops, saying that its own statistics show that Rustock attacks have dropped ten-fold since March.

"Since mid-March 2011, Dell SecureWorks' CTU [Counter Threat Unit] research team has seen a significant decline in the number of attempted Rustock attacks, and we do attribute it to the comprehensive efforts of Microsoft," a SecureWorks spokeswoman said Tuesday.

"With the Rustock take-down, Microsoft has built the framework for others to do the same," Lanstein said. "This is definitely not the last botnet we're going to go after."

He declined to name the next likely target, saying that doing so would tip Microsoft's and FireEye's hand.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is .

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags data securitysecurityMicrosoftMalware and Vulnerabilitiesdata protectionkaspersky lab

More about AppleDellDell ComputerDepartment of JusticeetworkFireEyeKasperksy LabsKasperskyKasperskyMicrosoftSecureWorksTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place