Botnet Take-downs gone Awry in the Past

Dismantling botnets is an essential part of effectively fighting organised cybercrime and disrupting malicious infrastructure online, that is being used to spread malware and spam across the vastness of cyberspace. Yet not every operation to dismantle a botnet has earned enthusiastic praise and applause from the security community. Four cases are of particular significance to grasp why fighting botnets is not always black and white, and occasionally seeps into a grey area where good intentions turn bad.

No-IP and collateral damage

No-IP is one of the world’s largest dynamic Domain Name System (DNS) provider, whose service enables customers to attach their dynamic IP address to a static hostname or sub-domain. A variety of users are utilising No-IP to remotely access their internet connected device, to for example run their home routers or video surveillance, or to maintain their security systems.

On June 19, 2014, Microsoft filed an ex-parte temporary restraining order with the US District Court of Nevada, against No-IP and two Kuwaiti individuals.[1] Microsoft alleged that 23 domains run by No-IP were used by these two individuals to manage their botnet operation and steal sensitive data from numerous Windows computers in the process.[2] While No-IP was not directly accused of any wrongdoing, Microsoft stressed that the DNS provider had not done enough to stop the malicious conduct on its network,[3] and was not following security best practices.[4]

No-IP on the other hand noted that no one at Microsoft ever contacted them prior to the issue of the restraining order being filed to block certain sub-domains, or made them aware of the abuse that was taking place on their network.[5]

On June 30, Microsoft effectively seized the 23 No-IP domains and began blocking and re-routing infected computers to a sinkhole.[6] However, due to a ‘technical glitch,’ customers that were legitimate and paying subscribers to No-IP’s service were also sucked into the sinkhole, causing massive collateral damage in the process. According to No-IP, nearly 5 million connections went dark[7] and millions of websites and devices were unreachable,[8] because Microsoft’s infrastructure was “unable to handle the billions of queries from our customers.”[9]

Nate Cardozo over at the Electronic Frontier Foundation (EFF) noted that Microsoft reversed its course just two days later and began returning the domains to No-IP’s parent company Vitalwerks.[10] Both parties eventually reached a settlement on July 9th in which Microsoft admitted that “Vitalwerks was not knowingly involved with the subdomains used to support malware” and that it “regrets any inconvenience [Vitalwerks] customers may have experienced.”[11]

The additional irony of the whole ordeal is that No-IP and Microsoft closely cooperated in the past, within (a) the context of Microsoft’s anti-piracy group and (b) the take-down of the Mariposa botnet in 2010.[12] In fact, even an existing line of communication between No-IP and Microsoft’s corporate executives was not taken advantage of because of Microsoft’s underlying concerns. Richard Boscovich, assistant general counsel to Microsoft’s Digital Crimes Unit, tried to explain this non-communication conundrum by noting that, if Microsoft would have reached out, criminals using No-IP’s network would have been tipped off, knowingly or unknowingly, in the process of the take-down operation.[13] Dylan Zigenis, No-IP’s business development manager, however noted that “all this action, all the work that Microsoft did, whatever they spent on their lawsuit could have been saved by a phone call.”[14]

ZEUS and unilaterally utilising information

Together with its close relatives Ice-IX and Spyeye, Zeus is part of a malware family that is used to infect computers and show fake or modified websites when victims try to log into their online-banking accounts.[15] Within this process, Zeus is capturing keystrokes to obtain passwords, usernames, and also information to circumvent two-stop verification processes.[16] The information harnessed is then used to directly steal money from the victim’s banking account.

In 2012 the Zeus botnet consisted of approximately 13 million infected computers worldwide, and was allegedly used to steal more than $100 million and incurred damages of half a billion US dollars during the past five years.[17]

In March 2012, Microsoft’s Digital Crimes Unit launched “Operation b71,” which at the time was one of the largest anti-botnet operations around.[18] B71 commenced with ex parte temporary restraining order filed with the US District Court for the Eastern District of New York, against 39 ‘low-level’ John Does and two data centers.[19] Microsoft, in cooperation with the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Electronic Payments Association (NACHA), and Kyrus Tech Inc., alleged that the servers and domains hosted by Continuum Data Centers LLC and BurstNet were part of the Zeus botnet command & control infrastructure.[20]

On March 23, escorted by US Marshals, Microsoft, FS-ISAC, and NACHA, executed a coordinated physical seizure of the C&C servers to gain data and digital evidence to build a criminal case against the botnet operators.[21]

The harshest critique against Operation b71 was voiced by Fox-IT, who alleged that Microsoft “endangered the success of countless ongoing investigations” by unilaterally acting upon data that was supplied by core members of the security community who had placed certain restrictions on the use of that information.[22] In fact, several of the ‘low-level’ John Does Microsoft named in its civil suit, turned out to be members of a core group of cybercriminals the US Justice Department held responsible for numerous criminal operations that have cost businesses millions of dollars of the past years.[23] Fox-IT therefore noted that, “from our end we can confirm that this information was never supplied for the purposes that Microsoft used it for.”[24] Rik Ferguson, vice president for security research at TrendMicro, additional explained that revealing the 39 online handles was “a very dumb idea,” as those subjects were now fully aware that they were under investigation and are most likely to disappear.[25]

All in all, Microsoft’s unilateral action was deemed by many experts a violation of the collaborative workgroup model that has facilitated the sharing of information between the security industry, research organisations, and law enforcement agencies.[26] In the end, Microsoft was even accused by a bulk of security researchers of conducting a publicity stunt that was primarily aimed at capturing media headlines, yet did little to nothing to facilitate the long-term success of law enforcement and the fight against cybercrime.

ZeroAccess Botnet and hibernation

ZeroAccess, or Sirefef, was a vast botnet that in 2013 had enslaved more than 2 million computers worldwide.[27] Initially its primary purpose was the spread of malware and fake anti-virus software, but over time it proliferated into click-and-search fraud, which reportedly cost online advertisers more than $2.7 million each month.[28]

In an attempt to take-down the entire botnet in one swing, Microsoft filed a civil suit with the US District Court for the Western District of Texas in early December 2013, against the ZeroAccess operators. The court granted Microsoft authorisation to block incoming and outgoing communications between computers located in the US, and identified 18 IP addresses that were used in connection with the ZeroAccess botnet.[29] Microsoft also initiated a joined effort with the FBI and A10 Networks to gain control over 49 other domains associated with the botnet, and coordinated, in conjunction with Europol’s EC3, and various European law enforcement agencies, criminal action against 18 IP addresses located in Europe. On December 5th Microsoft announced to the world that it successfully disrupted the ZeroAccess botnet.[30]

While Microsoft’s action against ZeroAccess is admirable, the initial success story did not necessarily conclude with an happy ending attached.

According to Manos Antonakakis, chief scientist at Damballa, and Yacin Nadji, PhD candidate at the Georgia institute for Technology, the approach taken by Microsoft only deactivated parts of the infrastructure that powered the botnet, and completely failed to tackle the underlying P2P control layer.[31] As such the ‘successful disruption’ amounted to nothing more than a temporary inconvenience to the botnet administrators.[32] Brett Stone-Gloss, security researcher at Dell SecureWorks, joined into the chorus by noting that “the botnet operators can still easily push a new plugin through the P2P network to restart their click fraud and search engine hijacking activities.”[33]

In a show of force, the botnet operators did exactly that on December 6th. They send out a configuration file to the 2 million infected systems which temporarily brought the click fraud network back online. To the surprise of many observers however the operators decided to send out a second file on the next morning with the message “White Flag,” which was widely being interpreted as a voluntary abandonment of the botnet.[34]

Yet in January 2015, researchers at Dell SecureWorks discovered that the ZeroAccess botnet was steadily being reactivated by distributing click fraud templates to the comprised systems. While the botnet has not grown in size, researchers identified around 55,000 unique IP addresses within a week.[35] Given that the number of systems detected is only a small fraction of the 2 million infected systems of late 2013, it remains to be seen whether Microsoft’s disruption strategy has merely shrunk the botnet to a size under which its operations are not deemed a serious threat anymore.

Kelihos whack-a-mole

Kelihos, or otherwise known as Waledac 2.0, was a botnet that in 2011 comprised about 41,000 infected computers worldwide.[36] While small in size the botnet was capable of sending 3.8 billion spam emails per day, which among other things promoted counterfeit pharmaceuticals, downloaded and executed arbitrary files, and stole personal user information.

On September 22, 2011, Microsoft initiated “Operation b79” by filing an ex parte temporary restraining order with the US District Court for the Eastern District of Virginia, against Dominique Alexander Piatti, dotFREE Group SRO, and 22 John Does.[37] Microsoft alleged that the internet domain “” registered to Mr. Piatti, as well as the Czech domain name business dotFREE Group SRO, which was in part operated by Mr. Piatti, were used to manage the Kelihos botnet.[38] The court granted the request four days later which allowed Microsoft to sever all known connections between Kelihos and the individual zombie computers under its control.[39] In cooperation with Kaspersky Labs, the botnet was sinkholed, which effectively disabled the botnet and also severed the backup infrastructure from the Command and Control servers.[40] On September 27, Microsoft and Kaspersky proudly announced that they successful took down Kelihos.[41]

However, to the dismay of many security analysts, it took the botnet operators a mere 24 hours to push out a new Kelihos version.[42] It was therefore not a surprise that by January 2012, Kaspersky identified a second Kelihos botnet (Kelhios.B) in the wild, with more than 109,000 infected systems.[43] Maria Garnaeva, security researcher at Kaspersky Labs, noted at the time that the Kelihos case effectively showed that sinkholing is not an effective method “if the botnet’s masters are still at large.”[44]

Despite these concerns, Kaspersky Lab in conjunction with Crowdstrike’s Intelligence Team, DellSecureWork, and the Honeypot Project, launched a successful sinkhole operation against the second Kelihos botnet in mid-March.[45] The success was, as expected, relatively short lived as a new Kelihos version (Kelihos.C) was pushed out into the wild a mere 20 minutes later. [46]

While researchers at Kaspersky Lab and Microsoft noted that Kelihos.C had a very different configuration and spread via social networks, Bit Seculert maintained that “the new infected machines are operated by the same group of criminals,” and as such it would be better to still refer to the new botnet as Kelihos.B.[47] Indeed, Kyle Yang over at Fortinet speculated that the botnet operators were “ready for a takedown this time around.” Given the whack-a-mole nature of the takedowns, Guenter Ollmann, vice president for research at Damballa, questioned the underlying futility of disrupting botnets altogether.[48]

At the RSA Conference in March 2013, Tillmann Werner, researcher at Crowdstrike, sinkholed the Kelihos.C botnet live on stage during a demonstration which was coordinated with the FBI and the Shadowserver Foundation.[49] Since the live take-down, the rate of Kelihos variants in the wild has significantly increased, leading to new features and an adapted infrastructure. In January 2017, CheckPoint Security ranked Kelihos as the number one ‘most wanted’ malware, noting that the “botnet [is] mainly involved in bitcoin theft and spamming. It utilizes peer-to-peer communications, enabling each individual node to act as a Command & Control server.”[50]

Disclaimer: I wrote this open-source piece back in 2015 while working as a research assistant at RAND’s Brussels office, on a report for the LIBE Committee in the European Parliament. The full report can be accessed here.

Since not everything made it into the final report, I thought it would be neat to post this on medium, so it may serve as a start-off point for others who are interested in the subject. Please note that this is only a summary of four take-down operations gone awry. There are of course several more, including the 2013 action against the Citadel botnets. Please also note that over the years the private sector has learned from their mistakes in the past.

p.s. I roughly went over it and added one or two sentences for context.