Information Warfare: Biggest Botnet Takedown Ever

Archives

April 4, 2020:   Microsoft recently announced another successful operation against hackers by taking down the Necurs botnet. This was an international effort involving governments and computer security firms in 35 countries. Microsoft has, since the 1990s, become the major international computer security operation. That has led to working with the U.S. FBI (Federal Bureau of Investigation) and similar organizations worldwide. The effort to take down Necurs is a good example of the central role Microsoft plays because it took nearly a decade to figure out what Necurs consisted of, how it worked and what it would take to destroy the botnet, rather than just damage it. While that effort was underway Necurs grew from under a million PCs controlled to over nine million. The botnet operators knew they were being scrutinized by Microsoft, Internet security firms and police organizations, and kept improving their defenses and survivability.

Necurs was dangerous not because of its durability but because it was largely a utility for cybercriminals and even some intelligence agencies. You rent various services requiring a botnet and Necurs was the best available for that in terms of price and reputation. Moreover, Necurs had a track record of reliability and keeping its secrets. Like most major botnet operations, Necurs' botnet command and control system was well protected and the botnet itself had numerous fallback systems to use if someone managed to penetrate the first level (or levels) of security. Figuring out how that security worked was the major reason it took so long to bring down Necurs. This effort was complicated by the Necurs operators constantly upgrading their security and robustness. Every time they did that Microsoft had to revise its plan to take down the botnet.

In the last decade, Microsoft has taken the lead in dissecting and dismantling over a dozen major botnets. Many of these operations took several years to execute. These efforts don’t always destroy a botnet. For example in 2015 Microsoft severely damaged the Dorknet botnet and the software that sustained it. The Dorknet organization infected over 100,000 PCs a month and used them for large scale extortion and larceny via the Internet. Dorknet usually controlled a million or more PCs at any one time. The hackers behind Dorknet also sold other hackers software (mainly NgrBot) to build their own botnets. What made Dorknet so dangerous was that it used worm malware. Worms automatically seek out vulnerable PCs, infects them and then keep going. Because Dorknet distributed some of its operating software, other versions of Dorknet still appear, even though the original is gone. These clones have not aged well because the original creators and managers of Dorknet were put out of business.

Microsoft is a major threat to operations like Dorknet. But Microsoft is not alone as it works with a growing network of computer security firms that share information on malware and jointly adjust their security software to block and track malware like Dorknet. The U.S. FBI and similar organizations worldwide assist in this by conducting criminal investigations based on evidence collected by Microsoft and its consortium of security firms.

Since the 1990s Microsoft took the lead in helping the FBI overcome a shortage of technical knowledge about PCs and the Internet. This was, and is, a common problem throughout government. But it is particularly serious when the organization responsible for dealing with Internet criminals is not trained or equipped to do so. The FBI also helps by offering bounties of up to $5 million for those on the top ten most wanted hackers list. In the last decade has led to substantial damage to operations that operate internationally against banks, corporations and individuals.

A typical takedown effort went after the Gameover Zeus botnet. In 2014 that botnet controlled over half a million PCs. The creator was known by name (Evgeniy Mikhailovich Bogachev) but, as a Russian citizen living in Russia, he was untouchable, despite evidence that he and his crew of Russian and Ukrainian hackers stole over $100 million. It proved impossible to get Russia to extradite him, or any other hackers who worked for the Russian government, for trial in the United States. Gameover Zeus has been operating at least since 2011 and specialized in bank fraud; stealing IDs and passwords of users and making fraudulent transfers. Gameover Zeus was also used for extortion by getting into PCs and encrypting the contents and then offering the decryption key only if the owner sends a few hundred dollars in untraceable money to the botnet operators. Bogachev is well protected by Russia because he has made himself use to Russian intelligence by developing hacks that obtained secret information from foreign governments. When the FBI discovered that activity over the last few years, they realized they were probably never going get Bogachev, even with the $5 million reward long offered. Russia considers Bogachev a national security asset and as such he is virtually untouchable by foreign prosecutors.

Technically botnets are large numbers of infected PCs, known as zombies, under the control of botherders, These herders are the people who run the networks/botnets full of zombies. Zombies are created by hackers, who write computer viruses that get into your computer from an infected website or booby-trapped file attachment to spam email. Since 2001 the FBI has been treating the creators and operators of these botnets as criminals (which they are) and hunting them down. The FBI has been increasingly successful at this and is finding, arresting and prosecuting a growing number of botnet owners. This is usually accompanied by shutting down the botnets in question. For example, as early as 2007 the FBI announced that Operation Bot Roast had identified over a million compromised PCs, in scores of botnets. The FBI tried to get in touch with as many of these computer users as possible, and direct victims to organizations and companies that could help them clean the zombie software out of their computers. Help was offered free, although many of the compromised PCs were found to be clogged with all manner of malware, which is largely illegal software hidden on your machine to feed you ads or simply track what you do. The takedown of the Gameover Zeus and Dorknet botnets is a continuation of the effort the FBI began years ago with Bot Roast.

Currently, on any given day, over twenty million of the laptop and desktop computers worldwide on the planet are zombified. These captive computers are organized into botnets of thousands or over a million, of PCs that do the bidding of their controllers. The most common use of botnets is transmitting spam and secret programs that create more zombies or steal information such as government secrets or your banking information. Internet criminals spend most of their time seeking out poorly protected PCs connected to the Internet that can be turned into zombies. This can cost up to a dollar per zombie PC. The "owners" of these zombies then use them to make money. This includes sending spam, launching DDOS (denial of service) attacks, bank and consumer fraud or extortion and so on. Some botnet owners rent their zombies out. There is no honor among thieves, either, with some Internet crooks seeking out botnets, and using their tools to try and take control. The good guys play this game as well, seeking out the botnets, and purifying the infected machines by finding and deleting the hidden software that makes a PC a zombie.

Most owners of zombified computers don't even realize their PCs have been taken over. Some with heavily infected machines do notice that the malware slows down the PC, and there have been cases where the user just went out and bought a new computer. Usually reformatting the hard drive and reinstalling your software works, and is a lot cheaper. But most computer users today don't know how to reformat a hard drive or even get someone to do it for them. Microsoft and Internet security firms have, since 2007, much improved and automated security software that detects and automatically removes the software secretly planted on PCs to turn them into zombies. Microsoft’s software security system is now removing hacker software from millions of computers a month and is considered, overall, as good as independently available security software. As a result, even major botnets can protect their network infrastructure but take a lot of damage daily, especially from Microsoft, which provides frequently updated security software for its operating systems to detect and remove the latest botnet control malware.

To avoid the FBI and other international police efforts, many botherders seek sanctuary in countries without an extradition treaty with the United States. Criminal gangs are increasingly active in this area, and, in the case of China, so are government Cyber War operations. But even China has been hit by hackers and recently enacted laws against computer crimes.

The most powerful Internet weapons on the planet are botnets. And many of them are getting into uniform. In wartime, many of these botnets would be turned into weapons. A botnet can be used to shut down essential military networks or infect military computers with destructive (to the computer) software. This is one of the major security threats Russia, China, Iran and North Korea pose to other nations.