The FBI recently took down nation-state botnet, Russian Snake (https://www.bleepingcomputer.com/news/security/fbi-nukes-russian-snake-data-theft-malware-with-self-destruct-command/), proactively protecting potentially hundreds of thousands of involved current and future victims. Botnet takedowns have become a favorite U.S. (and its international allies) cyber defense tactic. Although a takedown often just creates a temporary lull in that malware family’s spread, there have also been a few permanent takedowns of long-lasting botnets, which had exploited millions of devices.
Here are some other recent takedown news stories:
Most botnets operate by sending data and receiving commands from their involved “command & control” (C&C) servers. Those servers may be actual computer servers, hosted on some near impossible-to-touch “bulletproof hosting” service, additional otherwise innocent exploited devices, or by using a chat channel. C&C commands can be anything, including instructions for further exploitation, information collection and infiltration, updating or functioning as remote access servers so the botnet hacker controllers can manually access the exploited devices. Commands almost always include instructions to go dominant and/or to uninstall themselves. It is the latter that law enforcement takes advantage of.
Law enforcement must first identify a way to take over an existing C&C server or insert themselves into the botnet as a newly accepted fraudulent server and make sure that the involved bots will listen to their new commands. It is often done by redirecting the C&C domain names to new law enforcement servers or by taking control of existing servers.
Testing is done to ensure that the bot can be inactivated or uninstalled without causing additional operational problems to the host and to prove to management and judges that the objectives can be accomplished without causing further harm. Law enforcement often collaborates with vendors, large and small, who have expertise and knowledge of the involved botnet and malware programs.
Testing and sampling are thorough. No one wants to make a premature mistake and cause unintended operational interruption to the involved victims. There are ethical and legal questions about whether law enforcement can modify a victim’s device without their permission, even if they have the best of intentions. Taking down botnets without causing any significant operational interruption is one way to guarantee current and future success. One big mistake would cause a torrid number of complaints from impacted victims, likely serious political repercussions, and could prevent any of the future similar projects from getting approval. Success breeds success; and vice versa.
Law enforcement must obtain approval from the involved legal jurisdictions, which can be challenging when dozens of countries are involved. Many takedown projects have involved many hundreds of lawyers, tens of thousands of billable hours, hundreds of officers and agents, hundreds of warrants, and months of slow and cautious judicial approval.
The project teams plan and coordinate timing. Secrecy is necessary. In order to maximize botnet disruption, the takedown actions must occur simultaneously to all involved victims and the hosting infrastructure. Defenders do not want to give botnet administrators a chance to fight for control.
If done correctly, all the involved bots are removed. Victims are better protected. And the botnet’s controllers wake up to learn that the network of bots that they spent many years building is eradicated in a few minutes. Sometimes the hackers rebuild the botnet using new C&C servers and infrastructure, and sometimes the takedown is so thorough and complete that it is useless to rebuild the involved botnet. Either way, law enforcement makes the lives of botnet hackers more difficult. It is one for the good side.
