“Hundreds of thousands of machines are joining botnets every month. Most of these botnets are used to propagate spam or distribute malware that can be used in cyber espionage. Some of them are used in DDoS attacks or as proxies to commit other cybercrimes.",Vitaly Kamluk, Chief Malware Expert, Global Research and Analysis Team, Kaspersky Lab
According to Kamluk, the largest botnet is Conficker, with more than 8 million infected hosts, followed by TDSS with more than 5.5 million, Zeus with more than 3.6 million, and Koobface with more than 2.9 million.
"One could think that laws should be able to help us. Indeed, there is a law that prohibits unauthorized access to remote systems, i.e., third parties cannot use the resources of the other’s machine. However, cybercriminals successfully bypass this law. They utilize and exploit systems in any way they want – to commit crime, earn money, etc. At the same time we researchers come up against the same law – but in our case it prevents us from fighting botnets
As an example of what could be done but cannot even be contemplated, there are over 53 000 command and control (C&C) centers on the Internet (source: www.umbradata.com). In many cases we know where the C&C centers of these botnets are, so in theory we could contact the owner’s Internet Service Provider and ask it to take it down or to pass control of the center to us. This would be the right decision if we didn’t want to leave all those thousands of infected machines online - continuing to attack other machines. We could issue a command for a bot to self-destroy itself from within the botnet infrastructure (starting from the command center) and then take it down. But unfortunately this represents unauthorized access, and we are not allowed to issue such a command",Kamluk.
He recommended that law enforcement consider taking the following steps to help investigators in fighting botnets:
- Carrying out mass remediation via a botnet;
- Using the expertise and research of private companies and providing them with warrants for immunity against cybercrime laws in particular investigations, so they can collect more evidence, or bring down a malicious system when it cannot be accessed physically;
- Using the resources of any compromised system during an investigation - so that we can place traps on compromised machines to get the source IP addresses of the attackers, and to bypass the mechanisms they use to hide their identities;
- Obtaining a warrant for remote system exploitation - only in the cases when no other alternative is available. Of course this could result in cyber espionage. But if it is done properly – if the warrant is given for particular system, in a particular case, for particular timespan – this could bring positive results. Indeed, it could significantly change the cyber-threat landscape.”