Botnet C&C Quandry: Infiltrate or Extirpate?
Much random discussion takes place about whether botnet C&C infrastructure should be immediately taken offline or should be infiltrated in order to identify compromised machines, collect malware, monitor illicit activities, attempt to identify the miscreants involved, or any number of other motivators. There are two pretty well segmented camps when it comes to determining which of these actions is more appropriate, and affiliation may be largely guided by personal or business motivators and resources of those involved. Network operators are clearly in the best position to disrupt botnet C&C transactions, but what are the benefits and offshoots of doing so?
Not surprisingly, it still seems to me the industry is quite fragmented when it comes to dealing with botnet C&Cs. Some notables from network operators:
- “I care but don’t have the time to research it, keep the network clean and keep the end-user online.”
- “Not paid to, nor have resources to dive into C&Cs.”
- “To do anything beyond taking them [C&Cs] out would require face-to-face time with legal and they’re certainly going to say NO right off the bat.”
- “I’ve gotten into trouble with legal in the past for doing this [infiltrating].”
- “Simply null routing C&C traffic has much less liability for me.”
The liability and legal issues seems to resonate most often with network operators when considering diversion of botnet C&C traffic to their own or a researchers/partners analysis system – though oddly, there seems to be far less concern about simply taking the C&C offline via blackholing or null routing on “their piece of the Internet”. A fair number of network operators said they do indeed divert and/or infiltrate C&Cs as well, though usually only under more reactive circumstances.
Of course, among research, security vendor and law enforcement types, the responses were more along these lines:
- “Just leave it online, don’t null route it”
- “Divert to me and let me analyze or emulate the C&C to get host and other malware and system attribute data”
- We’re more than happy to help the operators, we realize they have lots of other duties, they just need to ask.”
- “Please don’t break connectivity, I’m monitoring [something] here”
- “Disrupting C&C from botnets where attacks are currently underway only exacerbates the problems by creating mindless bots that can’t be centrally disengaged”
- “Malware collection needs to occur to size up the adversary”
- “Without monitoring, we’re flying blind and under constant attack”
One might surmise that the percentage of actual researchers and related lurkers on a given botnet C&C comprises a significant portion of the total presumed bots.
Of course, when large attacks occur throwing bandwidth and infrastructure at the problem is clearly not a long-term solution, and often not a short-term one (considering attacks today as large as 25 Gbps). Once under attack, the clueful or well-connected often seem to gravitate towards identifying participating hosts, abstracting and analyzing malware, infiltrating the C&C, identifying the full set or some subset of hosts connected, and stopping the attack by issuing appropriate commands, and perhaps then, taking the C&C offline – until it pops up elsewhere!
Sometimes, the opportunity is afforded to track the attacker, determine his actions, motivations, or other relative information. Sprinkle a bit of pixie dust and you might even find yourself working with law enforcement on arrest and prosecution of the responsible miscreant(s). They [law enforcement] certainly seem to be taking a much more proactive approach to understand and investigate bot-related activities.
Obviously, law enforcement involvement trumps all, though when engaged it’s often only with the end system administrator or the first-hop ISP and the loosely fragmented response nature of the industry complicates this situation considerably. Consider, for example, a first-hop ISP that’s working with law enforcement to monitor a botnet C&C connected to one of their subscriber ports, when, unknowingly, their upstream service provider null routes all traffic to the C&C IP address. That action certainly scopes things, doesn’t it?
Not sure if it’s good news or bad WRT this topic – I fear the latter, but the continued evolution in sophistication of bot C&C infrastructure; from more dynamic, to load-balanced, to peer-peer, certainly makes for interesting cogitation as well.
As for me, I subscribe to the “do no more harm” bit of the Hippocratic Oath. If the botnet is actively being used for lifting ID data, launching attacks, compromising sensitive or critical systems, or any of an ever-expanding array of malicious activities, it needs to be taken out (assuming taking it out fixes the problem). Of course, one would likely only know this if they were monitoring bots in the first place – and I’m in favor of as much monitoring as possible.