SANS Digital Forensics and Incident Response Blog

How to Disrupt a Botnet

The following note is inspired by the steps the folks at FireEye Malware Intelligence Lab took to disable the Mega-d/Ozdok bot network. People often wonder what it takes to shut down a botnet. Here are the key steps, which apply to "traditional" botnets, which don't rely heavily on peer-to-peer protocols for their command and control (C&C) implementation; the number of hosts and domains that such botnets use can be sufficiently small that a group or an individual can disrupt the botnet by getting these IPs or domain names shut down.

Note that attempting to interfere with operations of a profitable botnet can be dangerous, as your actions may cause attackers to retaliate. Therefore, consider these steps as informational thoughts, rather than an encouragement to follow FireEye's footsteps.

  1. Obtain a copy of the bot through forensic analysis of a compromised system. It helps to get hands on several instances of the malicious program, in case multiple variants possess meaningful behavioral differences.
  2. Understand the bot's command and control mechanism. How does the attacker control the botnet? Reverse-engineer the malicious program to understand the C&C protocol and to get a sense for the commands the botnet understands. You may find a way to authenticate to the botnet and, posing as the attacker, commandeer it. (Warning: As Andre posted in the comments, "Logging on to network that is not your own, and issuing commands to take it over could potentially be considered illegal access.")
  3. Identify which systems, if taken off line, could disrupt the botnet. To accomplish this, look for weaknesses in the command and control implementation, such as the reliance on a small set of servers to distribute commands or weakness in the C&C servers' IP or domain names generation algorithm. (You may recall how researchers at UC-Santa Barbara gained control over an instance of the Torpig botnet.)
  4. Contact ISPs hosting suspected C&C servers. In your correspondence with them, present documentation that supports your claim that the systems they are hosting are being misused. Be specific about which IPs violate the ISP's policy by acting maliciously and should be disabled.
  5. Contact registrars of C&C domains. In your correspondence with them, present documentation that supports your claim that the domains they are hosting are being misused. Be specific about which domains violate the registrar's policy by being used for malicious purposes and should be disabled.
  6. Consider registering unused domains that the botnet's C&C mechanism may attempt to use later. This can be expensive, depending on the number of domain names associated with the botnet's C&C implementation.

Botnets come in different shapes, sizes, and flavors. The steps above don't apply to all of them, but they should give you a sense for how defenders can take action against traditional botnets. For an example of these steps in the context of a specific botnet, see the "Smashing the Mega-d/Ozdok botnet in 24 hours" write-up by FireEye.

Have you taken steps to disrupt a botnet? Share your thoughts and experiences in the comments below.

— Lenny

Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and writes a security blog.

2 Comments

Posted November 9, 2009 at 11:58 AM | Permalink | Reply

Andre M. DiMino

I would not advocate the last sentence in item #2. Logging on to network that is not your own, and issuing commands to take it over could potentially be considered illegal access.
It would be far better to analyze the protocol and command structure and pass that to to law enforcement or folks in the security community that track and act on discovered botnets.
Remember that a discovered active botnet should be treated like any other e-crime evidence.

Posted November 9, 2009 at 11:14 PM | Permalink | Reply

Nuclear Snip3r

As much as things change, they really don't, especially when it comes to dismantling rogue botnets. This is the same advice that we've heard before. Yes logging into + issuing a command to one or more nets is illegal and while contacting ISP's **should** be a viable option, the sheer number of times you actually get a one finger salute is remarkable.
On top of all that, most of the larger botnets are like playing whack-a-mole, where killing off one "head" leads to the generation of 5 more.
There are other (and better) ways to crack this nut.