Takedowns: Touchdown or Turnover?

by on | Leave a comment
Filed under Industry News, Research Lab and tagged , , , , .


Over the last several months malware takedowns have made headlines. But what is really involved in such an operation? The recent takedowns have been a collaborative effort mostly between the private sector and government entities, with academic researchers also playing a role. While some operations included arrests, and others included a civil lawsuit, the same question remains — How does one determine if the takedown was a success?

Recent Takedowns

For an example, let’s take a look at the takedown of “Gameover” ZeuS, code name “Operation Tovar.” This specific operation featured the global collaborative efforts of FBI, Europol, and UK National Crime Agency (NCA) investigators, along with several security firms and European academic researchers. The goal of Operation Tovar was to seize control of the Gameover ZeuS botnet, a sprawling network of infected computers running Microsoft Windows that has been used by elite cyber criminals to steal more than $100 million from banks, business, and consumers. But can this takedown, announced June 2nd, be considered a touchdown for the team of cyber good guys?

More recently, there has been buzz about the team of police and security firms that orchestrated the takedown of the Shylock malware, a notorious banking Trojan. The UK’s National Crime Agency, a key player in this takedown, estimates that Shylock has infected at least 30,000 Windows computers globally, with the UK being targeted more than other countries. In a series of sting operations, the team of international law enforcement and security experts seized the Command and Control servers (C&Cs) and the domains used by Shylock to communicate with infected computers. But in the end will this malware, whose code contains excerpts from Shakespeare, continue “to be, or not to be”?

Seculert’s Observations

While we at Seculert do not discount the tremendous efforts behind these takedowns, we would like to share the results of some of our own research. The Gameover ZeuS botnet uses an advanced peer-to-peer (P2P) mechanism to control and update the bot-infected systems. This behavior makes the botnet all the more difficult to dismantle. Since the takedown we have already seen the emergence of a new variant. The P2P function was removed and the Domain Generation Algorithm (DGA) changed. In the previous variant of Gameover ZeuS, the malware was generating 1,000 new domains per week. The situation has escalated, now it is generating 1,000 domains per day. Having previously sinkholed Gameover ZeuS, we are able to compare the number of bots communicating with our sinkhole prior to the takedown (Figure 1) and those of the new variant (Figure 2). In the last few days we have seen a surge in the number of bots communicating with our sinkhole; reaching as high as almost 10,000 infected devices. We anticipate the communications traffic to level out over time to reflect pre-takedown amounts.

GameoverZeuS pre takedown

Figure 1: Gameover ZeuS activity prior to takedown

GameoverZeuS post takedown

Figure 2: Gameover ZeuS activity after takedown

In regards to Shylock, we were able to sinkhole it 3 days after the takedown operation. Since then, we have seen approximately 10,000 bots per day attempting to communicate with our sinkhole server (Figure 3). Now we can’t compare this to the volume prior to the takedown, but it does raise the question, what makes a takedown successful?

shylock after Seculert sinkhole

Figure 3: Shylock activity with Seculert sinkhole

We also need to consider if takedowns are escalating the problem. In March 2012, CrowdStrike and Kaspersky used a sinkhole to “successfully” takedown Kelihos.B. However, a day after the operation Seculert identified more than 70,000 devices still active in the botnet. And as we continued to see communication between the malware and its C&C via other members of the botnet, it was obvious that Kelihos didn’t remain on the disabled list for long. Moreover, the Kelihos botnet came off the bench when the attackers re-gained access of the sinkholed bots through the Facebook worm, as well as expanding to newly infected machines and actively sending spam.

These are just a few examples of recent takedowns. And again, we are not questioning the takedowns or discouraging future ones. Rather we are curious as to the success criteria of these multinational operations. Is the goal of a takedown to cripple the malware or to kill it? There is also the possibility that we could just be testing the limits of cybercriminals — challenging them to immediately innovate which could lead to continued escalations. It is worth considering whether takedowns are a win for the team of cyber good guys or just a timeout allowing the criminals to regroup and come back stronger.

Contributors: Adi Raff and Yevgeniy Kulakov

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>