Was the DNSChanger victory a Pyrrhic one?

Economics of cybercime favour bad guys and there’s no realistic way to tip the scales.

The DNSChanger malware that could have blacked out the internet for upwards of 300,000 internet users on Monday is a reminder that the economics of cybercrime is on the side of bad guys, according to Mike Tuchen, CEO of Texan security firm Rapid 7.

“With the reported $14M of illicit gains for Rove before the arrest, it’s clear that the balance of high financial incentives and relatively low risk will still tempt plenty of new malware authors to continue to perpetrate more infections of this kind,” wrote Tuchen.

Rove was the target of a collaborative effort between security vendors, researchers, ISPs and law enforcement to take down the Estonian operation responsible for the DNSChanger botnet.

The campaign has been a success, according to many observers, but at what cost?

Trend Micro security researcher Rik Ferguson today pointed out that when it worked with the FBI under Operation GhostClick, the gang behind botnet was thought to have four million PCs under its control.

The DNSChanger Working Group (DCWG), which acknowledged an IP-address based “victim count” of 800,000 at the time of the group’s arrest in November 2011. Other estimates of the botnet’s reach at its height place infections at above two million.

By July 9, the number of ‘affected’ but not necessarily ‘infected’ victims was estimated to have fallen below 300,000, by DCWG’s count.

The reduction from millions to hundreds of thousands was a success, according to Tuchen, but it also shows that under current legal, technological and economic conditions, the odds are impossibly stacked against the “good guys”.

“It’s sobering to think of the growing gap between these occasional law enforcement successes and the enormous number of malware strains launched every week,” Tuchen wrote, pointing out Symantec’s count of 403 million new pieces of malware in 2011.

He reasonably speculates the cost to the FBI alone to take down the botnet was an “order of magnitude” more than it was for Rove to create it in the first place.

Three things that could prevent criminals launching these operations would be to:

  • dramatically increase the cost of creating and spreading successful malware;
  • dramatically reduce the cost of shutting down these networks;
  • or dramatically reduce the potential rewards of a successful attack.

While the potential rewards of a successful attack can’t be controlled, reducing the cost of shutting down these networks and increasing the cost of creating successful malware might be, if society invested in it.

Cambridge University security researcher Ross Anderson and co-researchers interrogating the economics of cybercrime recommended spending more on law enforcement and less on “anticipatory” security software.

“The way forward is to see computer misuse as crime, which almost all of it is. Get the police to take down the big criminal botnets and crack down on the big scams,” Anderson explained.

An obvious obstacle to this is surmounting cross-jurisdictional limitations in enforcement, but the DNSChanger arrests and takedown show that victory may not be best measured by reductions in the number of infections, but the fact international cooperation was achieved in the first place.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about Cambridge UniversityFBIRapid 7SymantecTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts