Was the DNSChanger victory a Pyrrhic one?

The DNSChanger malware that could have blacked out the internet for upwards of 300,000 internet users on Monday is a reminder that the economics of cybercrime is on the side of bad guys, according to Mike Tuchen, CEO of Texan security firm Rapid 7.

“With the reported $14M of illicit gains for Rove before the arrest, it’s clear that the balance of high financial incentives and relatively low risk will still tempt plenty of new malware authors to continue to perpetrate more infections of this kind,” wrote Tuchen.

Rove was the target of a collaborative effort between security vendors, researchers, ISPs and law enforcement to take down the Estonian operation responsible for the DNSChanger botnet.

The campaign has been a success, according to many observers, but at what cost?

Trend Micro security researcher Rik Ferguson today pointed out that when it worked with the FBI under Operation GhostClick, the gang behind botnet was thought to have four million PCs under its control.

The DNSChanger Working Group (DCWG), which acknowledged an IP-address based “victim count” of 800,000 at the time of the group’s arrest in November 2011. Other estimates of the botnet’s reach at its height place infections at above two million.

By July 9, the number of ‘affected’ but not necessarily ‘infected’ victims was estimated to have fallen below 300,000, by DCWG’s count.

The reduction from millions to hundreds of thousands was a success, according to Tuchen, but it also shows that under current legal, technological and economic conditions, the odds are impossibly stacked against the “good guys”.

“It’s sobering to think of the growing gap between these occasional law enforcement successes and the enormous number of malware strains launched every week,” Tuchen wrote, pointing out Symantec’s count of 403 million new pieces of malware in 2011.

He reasonably speculates the cost to the FBI alone to take down the botnet was an “order of magnitude” more than it was for Rove to create it in the first place.

Three things that could prevent criminals launching these operations would be to:

• dramatically increase the cost of creating and spreading successful malware;
• dramatically reduce the cost of shutting down these networks;
• or dramatically reduce the potential rewards of a successful attack.

While the potential rewards of a successful attack can’t be controlled, reducing the cost of shutting down these networks and increasing the cost of creating successful malware might be, if society invested in it.

Cambridge University security researcher Ross Anderson and co-researchers interrogating the economics of cybercrime recommended spending more on law enforcement and less on “anticipatory” security software.

“The way forward is to see computer misuse as crime, which almost all of it is. Get the police to take down the big criminal botnets and crack down on the big scams,” Anderson explained.

An obvious obstacle to this is surmounting cross-jurisdictional limitations in enforcement, but the DNSChanger arrests and takedown show that victory may not be best measured by reductions in the number of infections, but the fact international cooperation was achieved in the first place.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

• Tweet