Why Botnets Persist: Designing Effective Technical and Policy Interventions

2019-09-06 - 10 minutes read

Written by Wajeeha Ahmad.

Botnets, networks of malware-infected machines controlled by an attacker called the botmaster, contribute to multiple security problems on the Internet, including information or identity theft, extortion, click fraud, email spam, denial-of-service attacks, and distributing spyware. The scale of botnet-based attacks and exploitations has been sufficiently large to jeopardize private and public operations in multiple counties with global losses on the order of hundreds of billions of dollars. This paper (linked below) examines why botnets have remained a persistent feature of the Internet despite decades of interventions by security researchers, private companies, and law enforcement agencies. By analyzing the technical and socioeconomic barriers in mitigating botnets, this paper uncovers weaknesses in the botnet attack model to identify gaps in existing approaches and propose areas for effective interventions. 

Why Botnets Exist: Financial and Political Incentives

The same characteristics that have made the Internet economy grow successfully (such as the ability for every node to run arbitrary code) are exploited by botmasters with various financial or political goals. In short, botnets exist because they enable cybercrime, which is profitable for botmasters and their clients. From the attackers’ perspective, the increasing availability of unsecured Internet-connected devices that can be exploited with cheap and lucrative botnets contributes to their widespread use. The spread of botnet infections is exacerbated by the fact that the owners of the infected machines used to launch botnet attacks on third parties may lack both sufficient awareness and incentives to take defensive actions. Additionally, since botnet-based attacks and exploitations have multiple stages, where an attacker infiltrates a computer to use it as a platform to attack a second computer, and so on, they pose significant challenges for attribution and hence, deterrence. Consequently, botnets are also an especially attractive tool since they allow politically motivated actors to achieve their ends without the perception of direct involvement.

Tracing the History of Botnet Evolution: Increasing Stealth and Resilience

Since 1988, botnets have evolved from being harmless initial assistant tools to one of the predominant threats facing the Internet. Botnet infrastructures have incorporated more resilient and stealthy features over time. After infecting vulnerable machines via remotely exploiting software vulnerabilities or social engineering, botnets establish their defining characteristic, i.e., a command and control (C&C) infrastructure for communication between the botmasters and their bot armies. The following image shows the main developments in botnet command-and-control (C&C) architectures over time. An examination of the technical evolution of botnets shows that the generality of Internet architecture favors the attacker over the defender, as evidenced by the development of peer-to-peer structures and domain generation algorithms among other innovations. 

Figure 1: The technical evolution of botnet command-and-control (C&C) architectures. Image created by Wajeeha Ahmad and taken from her paper, Why Botnets Persist: Designing Effective Technical and Policy Interventions.

Technical Mitigation Methods: Legal and Ethical Challenges

While technical remedies for stopping botnet attacks and exploitations remain an ongoing area of research and practice, technical solutions alone are inadequate because botnets continue to regularly resurrect, often with new mechanisms for garnering profit or exfiltrating data. From the defenders’ standpoint, technical mitigation methods involve a number of complex tradeoffs with legal and ethical considerations and are insufficient against persistent botnet operators, who continuously evolve their tactics. Since the scourge of botnets cannot be understood as merely a technical issue, the underlying incentives – economic or otherwise – of the stakeholders involved must also be addressed. 

Coordinating Botnet Takedowns: A Game of Whack-A-Mole?

The two common existing approaches used against botnets include:

1. Voluntary takedowns by decentralized groups of security researchers 
2. Court-authorized takedowns by both corporations and/or law enforcement 

An analysis of past botnet takedown attempts shows that both these ad-hoc takedowns remain ineffective in the long run in the presence of jurisdictional constraints for defenders and safe havens for botnet operators. Voluntary botnet takedowns by decentralized groups of security researchers are constrained by lack of resources in addition to insufficient public-private sector collaboration and information sharing. It is generally easier and cheaper for botmasters to invest resources to maintain attack infrastructures than it is for a large number of uncoordinated and competitive entities to do expensive reverse engineering for large, sophisticated botnets to develop sustainable countermeasures. 

Secondly, a review of court-authorized botnet takedowns by both corporations (especially Microsoft) and law enforcement agencies reveals that they face multiple challenges, including the issues of establishing local jurisdiction, requesting the cooperation of foreign domain registrars, and the long-term ineffectiveness of domain name takedowns. The ability of botnet operators to move attacks across national borders in an agile manner while defenders face a myriad of coordination challenges further boosts the benefit–cost ratio for botmasters launching multiple attacks and exploitations. Consequently, existing approaches to botnet takedowns are analogous to playing a game of whack-a-mole in that they represent a highly reactive approach to defense against persistent adversaries. 

Potential Interventions Along the Botnet Attack Chain: A Way Forward

Botnets will continue to emerge and spread unless proactive steps are taken to address the root causes enabling botnet attacks and exploitations instead of only mitigating their symptoms. However, comprehensive and effective interventions are difficult because operating a botnet involves numerous stages, each of which can be accomplished in several ways. 

1. First, a botnet must infect machines by exploiting technical insecurities or via social engineering. 
2. Second, it must establish communications between the C&C servers and infected bots to carry out C&C commands. 
3. Finally, it must perform the task it was developed or rented for, i.e., take money or data back to the botmaster, or disrupt a particular service via a denial-of-service attack.

Analyzing each of these stages core to a botnet’s functionality can aid in finding effective interventions at various stages of the attack chain. Consequently, no one solution exists. Instead, proactive interventions at each step of the botnet attack chain along with long-term collaborations among key stakeholders are needed to reduce the safe havens in which botmasters operate. 

1. First, the development and widespread adoption by industry of baseline built-in security standards for Internet-connected devices can reduce the vulnerabilities that botnets prey on. Regarding user devices and accounts, minimum security standards should be accompanied with mandatory security features that cause minimal inconvenience to users to counter the effects of low user adoption. 
2. Second, since present-day botnets predominantly rely on DNS-based C&C communications to function, proactively mitigating botnet-related DNS abuse by focusing on the domain name registrars and registries that enable a high level of abuse could be fruitful for addressing the source of the problem instead of a sole reliance on reactive domain name takedowns. Such steps may include identifying domain registration policies that would increase operational costs for botmasters as well as making botnet attacks and exploitations more difficult and costly to execute without incurring unreasonable inconvenience for non-abusive users. 
3. Third, since financially motivated botnet attacks and exploitations leave a monetary trail and remain lucrative only as long as their payments cannot be traced back, the approach of “following the money” can be more effective in tracking such botnets than technical measures alone. In this case, closer collaboration between payment providers, security researchers, and law enforcement to identify illicit money flows associated with botnet-based activity followed by a refusal by the payment providers involved to authorize payments to such merchants could help ensure that botmasters do not reap the benefits of their activities. 
4. Finally, clarifying the rules of engagement between private actors and public authorities, and setting up long-term working partnerships among them, would promote and streamline both law enforcement botnet takedowns and private remediation efforts. 

Read the full paper via the button below