The war against botnets will be long and hard – there is no doubt about it.
For one thing, command and control centers can be replaced and the targeted botnet resurrected in a relatively short time if the infected machines aren’t cleaned.
As Internet Governance Project’s blogger Michel van Eeten notes, last week’s high-profile shutdown of the Bredolab botnet’s command and control servers by the Dutch Police is a perfect example of how such half-measures are not effective in the long run, since the number of remaining C&Cs is slowly rising again.
“Contrary to what the Dutch police claimed and many people think, law enforcement cannot shut down botnets,” he says. Even if C&C servers are shut down constantly, bot herders are simply going to change their tactic and use, for example, peer-to-peer C&Cs – which are more difficult to detect and shut down.
He is also not satisfied with the Dutch police’s (un)intentional estimate that the botnet consisted of 30 million machines at some point. He believes that the calculations that provided that sum were made on erroneous assumptions and by counting every IP address as a single machine, while in fact different IP addresses can be assigned to the same machine throughout a period of time.
“The real battlefield is in cleaning up the millions of bots,” he says. “That is not a heroic fight with bad guys, but a laborious process of Internet Service Providers engaging with their own customers. To stimulate and support that process, it make a world of difference if you are dealing with 3 million or 30 million machines. No one likes to engage in a fight if their effort seems futile.”
On the other hand, he seems to forget that the police used the botnet’s own infrastructure to notify the owners of the infected computers that they were, in fact, part of the botnet and offered advice on removing the malware from their system.
Since they can’t actually go door to door and visit all those people in person, I would say that they did the best they could. Let’s not forget that they also had a hand in the arrest of the Armenian who is believed to be one of the botnet’s masters. So whether or not the big number is dispiriting to ISPs, it seems to me a small matter – every business has its problems.