Score one for the good guys: A collaborative effort from the FBI and Interpol, along with vendors like Microsoft and security agencies such as the Computer Emergency Response Team (CERT) Polska and the Department of Homeland Security’s US-CERT, has taken down a collection of over 1 million computers infected by the Dorkbot malware botnet, according to SC Magazine. It’s been four years in the making, but progress may finally be ahead in the fight against widespread malicious code.
As noted by CSO Online, Dorkbot was first discovered in April 2011. But real notoriety didn’t come until October 2012, when security researchers at GFI Software announced the malware was being spread to Skype users through phony Skype IMs. The malware is designed to steal login credentials for online services like Gmail, Facebook, PayPal and Netflix and usually infects computers through websites running exploit kits or spam sent via email.
Once a computer is compromised, Dorkbot relies on worm functionality to spread via social media, instant messaging or even removable drives. More recently, an exploit kit called NgrBot began popping up on underground marketplaces, which allowed users to create large-scale botnets. Apparently, that was the tipping point, and it was worrisome enough that law enforcement, vendors and security agencies were willing to put aside their differences and go after the rapidly expanding dork network.
Old Problems, New Ground?
While the takedown of more than 1 million bots is good news, the CSO article rightly pointed out that the effects are often temporary. In a few weeks or month, malware creators are back in action with new command-and-control (C&C) servers and an updated version of their software.
According to Canadian news agency CBC, however, the winds of cyber change may be blowing. In Toronto, the Canadian Radio-television and Telecommunications Commission (CRTC) issued the first-ever warrant under the federal government’s antispam legislation. The CRTC was able to show that the Toronto-based server “acted as a command-and-control point for the Win32/Dorkbot malware,” obtain the warrant and take down the hardware as part of the joint Dorkbot effort.
Here’s where things get promising. Sure, malware-makers can simply spin up a new server somewhere, but if other countries are willing to follow the Canadian example and start cracking down on malicious actors and C&C centers before they do significant harm, it may be possible to force cybercriminals’ hand. This would put them on the run instead of giving them the run of user computers and corporate networks.
Bottom line? Taking down a Dorkbot botnet, even one running on one million-plus computers, isn’t the end game here but just a solid first move. Improved collaboration across industries and agencies is a positive step forward but the real move here is hitting bad guys where they live: It’s time to turn ground zero for botnets into a risky bet for any would-be malware makers.