Compromised machines that are part of a botnet and are thus under control of a botherder are often called 'zombies'. But the term 'zombie' might be an even more appropriate way to describe these machines after the botnet has been taken down.
In the last few years, there have been quite a few botnet takedowns. In some cases, this has led to the arrest of the botherder (or botnet owner). In other cases the botnet's infrastructure, or parts thereof, have been taken down. In the recent case of the ZeroAccess botnet, its owners allegedly surrendered the botnet by sending updates to the bots that included the message 'WHITE FLAG'.
But are these botnets really dead?
The somewhat obvious answer to this question is: NO!
No matter how many white flags have been sent to the clients, and no matter how long its owners are sent to prison, as long as the malware is still running on the machines, the botnet lives on and in its potential capability of resuming its malicious activities remains a threat.
How easily a botnet can be resurrected or taken over depends on the design of the botnet. But as botnet takedowns have become more prominent, today's botnet software is built to survive takedowns. Take for example the Kelihos botnet that, despite two major takedowns in is very much alive today.
But even if its owners have really given up their botnet for good - perhaps because they are sitting out long prison sentences – the botnet shouldn't be considered dead.
The BBC writes how a researcher spent a few dollars on domains that had previously been used by botnets to communicate with their command and control servers. He found that more than 25,000 machines regularly made requests to these domains, and in some cases sent 'potentially saleable information' to his server.
This is also what we are seeing at AnubisNetworks, where we are tracking many supposedly 'dead' botnets, whose machines are still regularly 'checking in'.
Of course, if researchers can do this, so can those with less benign intentions and by making their new command and control servers send out the 'right' responses, they can revive and take over the botnet.
In some cases the affected machines were never part of an actual botnet, but merely ran some adware or some other kind of grayware that has since been abandoned by its owners. Depending on its update capabilities, a 'new owner' may be able to turn these machines into an actual botnet.
Generally speaking, botnet takedowns are a good thing. But it is good to keep in mind they only do part of the job. If your organisation was affected by the botnet, its takedown will only suspend rather than solve the problem.
And without solving the root causes, these zombies are waiting to receive the command to attack.
Cyberfeed provides a unique view on the early detection of cyber-threats. The combination of real-time security monitoring, context, and "smart eyeballs" empowers organizations and states to have a new and powerful approach to fighting cybercrime. To know more about Cyberfeed, please contact us!