Cybersecurity Researchers Team Up To Combat Online Crime

Cybersecurity Researchers Team Up To Combat Online Crime
By NICOLE PERLROTH, New York Times 3/28/2012, original
Last Friday, Microsoft employees, accompanied by United States marshals, raided command centers in Pennsylvania and Illinois used by online criminals to run a botnet, a cluster of infected computers harnessed by criminals to steal personal and financial information from millions of victims.

But two days earlier, across the country, a separate group of cybersecurity researchers based in San Francisco quietly took down another botnet using more technical means. The five researchers, from four security firms — Crowdstrike, Dell SecureWorks, the Honeynet Project and Kaspersky Labs – worked together to decrypt and successfully commandeer the so-called Kelihos.b botnet that was using over 100,000 infected computers to blast pharmaceutical spam and, in some cases, steal Bitcoins, a virtual currency that is impossible to recover once stolen.

The takedowns were not timed to coincide with one another, nor were the two groups even aware they were operating in tandem. But they point to a renewed effort by technologists to take the lead in combating digital crime rather than waiting for law-enforcement authorities to take action.

Microsoft has preferred to take botnets down through court actions. Including Friday’s raid, Microsoft has brought down four botnets in the past few years through civil suits. In each case, Microsoft sought secret court orders that allowed it to seize Web addresses and servers that run the botnets, without first alerting their owners.

In the case of Kelihos.b, researchers took a more technical approach. They successfully reverse-engineered the botnet’s structure and analyzed its cryptography, then injected their own file into its communication network. That file instructed infected computers to send any information to a “sinkhole” controlled by Crowdstrike, rather than to the command-and-control server run by criminals.

Within a few minutes of infiltrating Kelihos.b, over 85,000 infected computers started communicating with Crowdstrike’s sinkhole. As more infected users went online, Crowdstrike said that figure quickly jumped to 110,000. By Friday, researchers said the criminals behind Kelihos.b had already abandoned the botnet and moved on.

By dismantling their tools this way, the researchers said they were able to glean valuable information about the criminals’ techniques.

“We were able to understand how the computers were compromised, what operating systems they ran and the make-up of the botnet,” said Adam Meyers, a threat researcher at Crowdstrike.

Of the infected machines, 84 percent were exploited using a loophole in Microsoft Windows XP. Researchers also noted that the vast majority of infections — a quarter of all identified machines — were in Poland and that the botnet’s creators spread Kelihos.b through a “pay-per-install” model typically favored by hackers in Eastern Europe. Richard Boscovich, a senior lawyer in Microsoft’s digital crimes unit, said he had a “high degree of confidence” that the culprits behind the botnet Microsoft took down last Friday were also based in Eastern Europe.

That information could potentially be valuable in combating future threats. Unless a botnet’s owners and clients are put behind bars, takedowns tend to be temporary. An earlier takedown by Microsoft of the Waledac botnet, for example, lasted only as long as the time it took its creators to modify its architecture slightly and create a new botnet. Kelihos.b is a second-generation version of Kelihos, another botnet that was shut down last September.

What is to say this botnet won’t just morph itself again? “That is a possibility,” said Crowdstrike’s Mr. Meyers. “But when that happens, we’ll be there to take it back down.”