The last year has seen a string of takedowns of botnet command-and-control servers, malware drop zones, spam operations and other pieces of the crimeware infrastructure, each of which made a dent in one way or another. But the question of whether the takedowns have had any lasting effect on the overall level of crime and fraud online is a more complicated one.
The most recent operation that’s gained notice is the takedown of VolgaHost, a hosting provider in Russia that had attracted a lot of attention from researchers for allegedly hosting hundreds of malicious URLs and botnet servers. VolgaHost was rated by HostExploit as the worst hosting provider on the Internet in terms of the amount of crimeware on its platform, and last week the company was effectively taken offline when its upstream provider de-peered it.
That action cut VolgaHost off from the Internet and killed the connectivity for all of its customers, as well, eliminating a number of C&C servers used by the Zeus botnet. However, online fraud and crime is a worldwide industry and removing one hosting provider–however large and active it may be–from the equation is of inherently limited value. It’s a never-ending game of whack-a-mole in which researchers or hosting providers or law enforcement officials knock down a few servers, only to see them pop up again somewhere else a day or a week later.
Zeus, which has been known publicly for more than a year, is a prime example. Though it’s often referred to as a botnet, Zeus is more precisely a crimeware kit that is available for purchase by anyone, giving each customer the ability to create his own small malware operation. Taking down a few servers being used by one Zeus operation to control compromised machines is, unfortunately, only going to be effective in cutting off that specific operation. Any other Zeus networks not connected to that operation will be unaffected.
This has held true for most botnet takedowns in recent years, whether it be Waledac, Pushdo or any other network. Those operations had a major effect on the volume of spam in the short term, but after a quick respite, levels usually have returned to where they were before the takedown. The action that’s made the biggest difference in the volume of spam of late is the closure of a major spam affiliate program known as Spamit late last year. That closure, combined with some other factors, has effectively slashed the volume of spam by nearly three-quarters.
But while spam and other forms of online crime, such as botnets, identity theft and phishing, are closely intertwined, attackers can survive and do their damage without spam. The work that ISPs and legitimate hosting providers are doing to address
the problem is valuable and absolutely necessary and more of it would
be welcome. But unfortunately, the scope of the worldwide online crime and fraud problem is so massive that no one takedown operation or combination of actions is likely to have any lasting, measurable effect on it.