All the latest UK technology news, reviews and analysis

Arresting hackers more effective than botnet takedowns for tackling cybercrime

10 Feb 2014
A man behind bars

In recent months law enforcement has had plenty to celebrate, with various agencies and departments catching and charging numerous people believed to have masterminded some of the world's most dangerous cyber criminal empires.

Most recently the criminal behind the notorious SpyEye malware, Aleksandr Andreevich Panin pleaded guilty to conspiring to commit wire and bank fraud for his role as the primary developer and distributor of the malicious software.

The arrest of Panin, whose SpyEye malware is believed to have infected over 1.4 million computers at its peak, has led to a wider debate within the security community about the benefits of arrests versus botnet takedowns.

The debate is important as cybercrime is undeniably a growing problem facing governments and companies, with numerous warnings of cyber campaigns that continue to plague users and make millions for criminals.

Covert criminals
Tracking those behind the tools is increasingly difficult. This is in part because of the global nature of the internet, but mainly due to the way authors can use botnets and advanced technologies, such as the Tor network or bulletproof hosting services, to hide their movements.

As FireEye CTO Greg Day noted, this has limited the ability of law enforcement agencies to arrest cyber criminals by increasing the upfront costs and resources required to track and analyse the campaigns.

"Arrests do create a number of challenges throughout the entire processes. First you need the support of organisations to gather the relevant evidence, which needs to be done to specific guidelines, which are admissible in court," he said.

"This can require trawling through large amounts of data, so skills are required both in malware analysis and forensics. One challenge for law enforcement is simply having enough of what is a highly skilled and so typically highly paid-for resource."

Day added that even if law enforcement did gather the necessary information, current international law means they would also have to overcome a number of legal and regulatory issues before being able to arrest criminals.

"E-crime is typically mixed, so crimes are national and others are international. The latter requires that there is co-operation between nations, this can be time consuming," he told V3.

Takedown operations
The issues mentioned by Day have traditionally forced many law enforcement agencies to rely simply on attacking criminal groups' infrastructure, rather than arresting their members as they did with Panin. These operations have involved various takedown strikes against command-and-control servers being used to run botnets or host illegal sites.

Key victories in this endeavor include sinkhole operations against the Citadel and ZeroAccess botnets last year. The FBI and Microsoft confirmed taking down a significant part of the Citadel botnet in June 2013.

Symantec confirmed successfully rescuing 500,000 of the 1.9 million zombie machines enslaved by the infamous ZeroAccess botnet later in October.

Both these operations have been lauded as key victories in the fight against cybercrime. Assistant general counsel at Microsoft's Digital Crimes Unit Richard Boscovich told V3 that even if they do not permanently stop cyber criminals, the operations do have a positive effect.

"The main objective of Microsoft's botnet takedowns and disruptions is to identify and stop the harm caused by the malware threats in order to protect people. We've found that disruption and clean-up efforts like this not only help to clean people's computers, but they help take the very infrastructure the botnet needs to be impactful and profitable away from the cyber criminals," he said.

Arrest success
However, some researchers and experts have been less positive about the operations. As noted by F-Secure chief research officer Mikko Hypponen: "It is more effective to take down the guys than taking down their systems. Systems don't rebuild themselves without the master."

Rik Ferguson faces detailTrend Micro's global vice president of security research Rik Ferguson (pictured) was even more dismissive, claiming that most takedowns are ultimately futile.

"If you look back at some of the big ‘takedowns' that many vendors like to make PR hay with, they have been spectacular failures, most recently Kelihos, ZeroAccess and Citadel have been trumpeted by various PR departments and agencies as a giant blow on behalf of the good guys and yet no lasting effect has been noted in any of those cases," he told V3.

Ferguson went on to highlight other recent arrests as proof of his claim. "A couple of really good examples of how taking down the perpetrator rather than the infrastructure can help, are the arrests of the man behind Blackhole Exploit Kit (Paunch) and the individuals behind DNS Changer (Rove Digital)," he said.

"In both of these cases, the arrest of the individual or group behind those criminal operations, led to a huge and almost immediate halt in the use of those malicious creations. Once Paunch was reported to be arrested, other criminal groups began immediately to shift their operations to exploit kits from other underground vendors."

Threat alert statistics that F-Secure gave V3 provide evidence to support the two security experts' feelings about the effectiveness of arrests.

Statistics taken from F-Secure's threat intelligence network showed that Blackhole usage dropped from 50,000 detections in August 2013, to less than 1,000 in December. F-Secure's stats mirror those of independent malware researcher Kafeine, who reported finding that the use of the Blackhole hack tool had almost completely ceased in November 2013.

A hybrid approach
But despite the obvious effectiveness of arresting hackers, some, such as FireEye's Day, remain convinced of the benefits of takedown operations.

"A key challenge is focusing on what should be prioritised. It would be great to arrest and prosecute every one of these, but for all of the previously mentioned reasons the challenge today is resources," he said.

"In my view law enforcement has to take a layered approach. If their goal is harm reduction, getting an attack site or a botnet server taken down is much quicker and easier than arrests."

There certainly is merit to this hybrid approach, which is the same taken by Microsoft. This is because, even if the criminals do reappear, the takedown at the very least limits their revenue and saves enslaved machines from the botnet.

That said, there is undeniable evidence supporting Ferguson and Hypponen's assertion the only way to permanently stop cyber criminals is to arrest them and shut down their entire operation, rather than just one part of it.

The question is, is the added effort worth the expense?

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

Tech gifts for Christmas 2014

Is a new tablet on your wish list this festive season, or have they become yesterday’s fad?

Popular Threads

Powered by Disqus
iPhone 6 is available in silver gold and space grey

iPhone 6 video review

The best iOS handset to date

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Software Tester

We are seeking a Software Tester to help improve/maintain...

Application Support Analyst

UCL Application Services; Common and Infrastructure Applications...

SharePoint Developers

We are a Microsoft Gold Partner based in Thames Valley...

Senior Network Engineer

Senior Network Engineer Fixed Term (2 years...
To send to more than one email address, simply separate each address with a comma.