Botnets are a huge problem for a number of reasons. Not only are they used to send spam, they’re also used in criminal activities. One of the major challenges in dealing with botnets is finding and stopping the people who create and use them. Why? Because the internet is global and crime tends to be prosecuted within local jurisdictions.
Catching someone running a botnet, or involved in crime online in general, requires cooperation from authorities in multiple jurisdictions. Police, lawyers, and other officials have had to create relationships to work together, all while respecting international law. It’s a involved and complicated process, and that’s before we talk about the challenges in actually figuring out who is running the botnet. Subject matter experts, like operating system manufacturers or anti-virus companies, are also part of the process in most cases. (Read about the Simda botnet takedown at Interpol)
Despite the challenges, botnets do get taken down and criminals do get arrested and brought to justice. Today the Department of Justice announced a guilty plea from a Russian citizen charged with infecting machines with malware.
Senakh and his co-conspirators used the Ebury botnet to generate and redirect internet traffic in furtherance of various click-fraud and spam e-mail schemes, which fraudulently generated millions of dollars in revenue. As part of the plea, Senakh admitted that he supported the criminal enterprise by creating accounts with domain registrars which helped build the Ebury botnet infrastructure and personally profited from traffic generated by the Ebury botnet.
Ebury is kinda interesting because it’s actually a Linux botnet, not a Windows one. It used a SSH exploit to get in, stole user credentials and then smuggled the credentials out in special TCP packets. CERT-BUND has some of the gritty technical details of what they discovered. And WeLiveSecurity also has a writeup on how the infection worked.
Botnets are a problem. Catching people is a long, drawn out challenge. But, it can be done.