Old-fashioned tactics can still beat the botnets (sometimes)
Microsoft, federal agencies score recent wins against malware
Amid a steady drumbeat of reports about growing threats from sophisticated hackers and organized criminals, there have been two recent pieces of good news. Microsoft successfully took legal action to disconnect bot-herders from the Internet, and agencies appear to have made headway in scrubbing the persistent Conficker worm from government systems.
These successes are especially encouraging because they were achieved not with technical fixes developed in response to new threats but by using existing tools. They show it's possible to short-circuit the continuing game of threat-and-response, in which the good guys are always one step behind, and get out in front of the attackers.
Have agencies scrubbed the Conficker worm from their systems?
Microsoft was able to get an injunction against 273 malicious domains used by the Waledac botnet. Operation b49 was an effort by Microsoft and other members of the Botnet Task Force to document the source of spam being distributed by thousands of infected computers and then take legal action in federal court under the Computer Fraud and Abuse Act, the CAN-SPAM Act, the Electronic Communications Privacy Act and other federal fraud and trademark protection laws. The software company claimed in the lawsuit that infection by Waledac malware “constitutes an unauthorized intrusion into Microsoft Windows operating systems.”
It's less clear about exactly what happened to rid federal systems of the Conficker worm. Rodney Joffe, senior vice president and technologist at Neustar, a directory services provider that administers the domain name registry for the .us country code top-level domain for the Commerce Department, said his company saw a dramatic decrease in Conficker traffic coming from government systems in recent months. The number of apparently infected systems dropped from the tens of thousands to “less than 40 systems in the entire U.S. federal network,” Joffe said last month.
The Homeland Security Department, which runs the U.S. Computer Emergency Readiness Team, denied that Conficker was ever widespread in the government. "There have been minimal indications of Conficker infections to the U.S. government thus far,” a DHS spokesperson said in response to the report. “Departments have been taking the appropriate actions when infections are discovered.”
Whatever the rate of infection, the reduction is because of a broad policy of cooperation addressing all types of threats, according to DHS.
“Programmatically, DHS is addressing how to integrate defense-in-depth strategies for the U.S. government through US-CERT partnerships, Joint Analysis Coordination and Knowledge Exchange and the Botnet Threat Focus Cell within the National Cyber Investigative Joint Task Force,” the spokesperson said. “We are not focusing on a single threat, but all hazards. This approach has dramatically helped us on Conficker."
What this shows is how successful existing tools can be in mitigating threats. Of course, there are limitations. No one would suggest that a lawsuit is the proper response to every case of malware infection, and no amount of cooperation will undo a compromise if some kind of fix has not been developed. New vulnerabilities, zero-day exploits and rapidly evolving malware still must be addressed case by case.
But persistent, widespread problems, such as botnets, lend themselves to this type of analysis and response, which can help increase the costs and risks to hackers so that the fight won’t be so one-sided.