THE BLOG
10/01/2013 05:22 pm ET Updated Dec 01, 2013

Keeping the Good Guys Out While Letting the Bad Guys in

This is a topic I've been trying to touch for some time now, but I've always postponed it. This story is about botnets.

Here's the simplified version of how they work. First, you go to a hosting provider and rent a server. As a brilliant cybercriminal, you will, of course, use a fake identity and a stolen credit card. Step two will be to make sure that the forensics guys won't be able to find you, so you redirect all access logs to /dev/null.

You encrypt the entire hard disk, or just the partition where you will deploy your stuff by using tools such as TrueCrypt for instance.

You start infecting people. You can do this through malvertising on legit websites, spam, malicious websites and so on.

And every time your malware infects someone new, it will connect back to your server for instructions.

Once you have gathered enough machines, you can start focusing on the fun stuff, such as renting your entire infrastructure to spammers who don't have the means to send spam themselves, to DDoS different organizations, and whatever else brings out money.

Now, let's suppose that at some point, a security vendor, instead of just blocking your malware sample, goes a little further with the analysis and to see where all these infected computers connect. They will find the IP of your server.

It's obvious that they will ask the hosting provider for access to the server for further investigation, but you don't need to worry, the hosting provider will not allow them access there. After all, you are a paying customer. It doesn't really matter if your activities are legal. The worst-case scenario is just to take your server offline.

Now, the security vendor will try to contact law enforcement your server's host country to further their case for access. The amount of bureaucracy generated by such inter-continental dealings, of course, can seem to nearly rival the volume of spam the botnet is sending.

And if at some point, when the security vendor and the law enforcement officers obtain access to your server, what's the worst that can happen?

Even if they have the technical capability to take over the command and control and issue a self delete command to all the infected machines, they won't do that without the consent of all infected users.

2013-10-01-Photo.jpg