Security vendors on their own: large entities take on botnets

July 15, 2014

A week ago Facebook reported dismantling a mid-sized botnet codenamed “Lecpetex” which was comprised of about 250k PCs. This botnet was interesting since it was forcing infected PCs into mining Litecoin virtual currency. It was also used for spreading spam.

640-5

The most interesting thing here is that Facebook seemingly has very little to do with cybersecurity as a field of concern. It is by no means a security vendor. But yes, it took on cybercriminals, since standing aside was not an option.

The question is: Is it an option for the others? When does “aggressive cybersecurity” become a concern for a business?

Well, for Facebook it bass been a major concern for quite some time: This is not the first case of Facebook vs. botnet. Lecpetex was a relatively docile and not exactly huge. 

“Based on statistics released by the Greek Police, the botnet may have infected as many as 250,000 computers. Those infections enabled those directing the botnet to hijack those computers and use them to promote social spam, which impacted close to 50,000 accounts at its peak,” wrote Facebook’s Threat Infrastructure team. “…The Lecpetex authors appeared to have a good understanding of anti-virus evasion because they made continuous changes to their malware to avoid detection. In total, the botnet operators launched more than 20 distinct waves of spam between December 2013 and June 2014”.

According to Facebook, Lecpetex worked “almost exclusively” by using social engineering techniques to trick victims into running malicious Java applications and scripts. Lecpetex spread through friend and contact networks, and that’s the reason for its geographic distribution: most of the victims reside in Greece.

Facebook had been battling Lecpetex since December 2013, making serious progress earlier this year: a coordinated takedown of technical infrastructure including C2’s, distribution accounts, testing accounts, monetization accounts took place in mid-April, which was followed by referral to Greek law enforcements.

800-5

Finding themselves in hot water, malware authors even left messages for Facebook’s team, demanding “Stop breaking my ballz…”

Eventually on July 3rd, Greek police arrested people alleged to be primary authors.

That is, again, not the first occasion when Facebook battles a botnet: late in 2012 the social networking site partnered with FBI to take down Butterfly Botnet (aka Mariposa). That one was much larger and more dangerous than the Lecpetex: it had been spreading banking malware codenamed Yahos which infected about 11 million computers. According to a later report its authors collected more than 850 million from fraudulent transactions. 

Facebook had to take action because it was actively used to spread malware: being a vector for attacks is unsettling and harmful, reputation-wise. Facebook isn’t a security vendor on its own, but it had to work as one, since the situation was too bad to turn a blind eye.

Facebook isn’t alone there, though. Microsoft actively and even aggressively takes on the largest botnets, and with the help of industry partners and law enforcement agencies, it has dismantled a number of them over the last several years – Rustock, Kelihos, Citadel, to name just a few.

Microsoft, again, isn’t recognized as an entity closely associated with the cybersecurity market, even though it has made a number of security-related acquisitions since early 2000s. But most of the PC malware targeted Windows users for years. At a certain point Microsoft decided to go on a crusade against botnets, even though not every strife ends with a sound success.

Botnet battle is an old story: Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) had been launched back in 2004 with Comcast, Yahoo, AT&T, Verizon and AOL as major participants, in order to work on the best practices for ISPs to mitigate botnets and DDoS attacks launched through them. By the 2004 it was already clear by that time that botnets were a serious problem.

At a certain point every large entity working with large amount of personal data, finds itself in the situation when it has to protect them. And not exactly just passively. Sometime it is necessary to take fight to the cybercriminals’ own territory, taking over their C&C servers, seizing hard drives and requesting warrants to arrest the alleged botnet operators.

All in all, cybersecurity is something that’s everybody’s business, sooner or later.