A carefully orchestrated campaign led by the FBI to dismantle the most damaging botnets on the Internet continues to register notable successes in the effort to put an end to a cybercrime problem that drains $113 billion a year from economies around the world.
Code-named Operation Clean Slate, the FBI-led initiative involves nearly a dozen federal agencies and departments, private Internet service providers, technology companies and law enforcement agencies around the world. The goal is to prioritize and take down the biggest botnets — armies of compromised computers infected with malware and under the control of cybercriminals who use the systems to spread spam, conduct distributed denial of service attacks and carry out identity theft on a massive scale. It is estimated that 378 million computers — about 12 systems per second — are compromised and become unsuspecting participants in botnets every year.
But the FBI’s war on botnets and the cybercriminals behind them is beginning to show signs of sustained progress. More important, anti-botnet operations increasingly involve a combination of law enforcement arrests and large-scale cooperation on the technical aspects of stopping botnet activity among a variety of government and private sector organizations, said FBI Supervisory Special Agent Thomas Grasso, who briefed industry representatives Monday during an event hosted by the Financial Services Roundtable in Washington, D.C.
Grasso is part of a 10-member FBI team at the National Cyber-Forensics & Training Alliance, a nonprofit organization that also includes agents from the Secret Service and experts from Fortune 500 companies. It is a critical component of Operation Clean Slate.
“The initiative is really about focusing resources and focusing firepower on the botnet problem,” Grasso said. But the three most important parts of the initiative stem from how the FBI is reducing the botnet threat, he said. “Our viewpoint is there are three ways that we can go after this. One is to arrest people. And I think that’s a very effective way to reduce the threat,” he said. The other ways the operation is helping to reduce the threat include taking the botnet down. “We can attack the botnet … and put the botnet in jail, so to speak” Grasso said. “And the other thing that we can do is share mitigation information with the private sector.”
One of the earliest cases to target botnet operators was Operation Trident Breach in 2010. A group of five Ukrainian cybercriminals targeted small and medium-sized businesses using a custom variant of the Zeus botnet. The malware captured passwords, account numbers, and other data used to log into online banking accounts. Losses in the U.S. along totaled $70 million.
The case involved “one of the first pieces of malware that was able to get around two-factor authentication,” according to Grasso. But the arrest of the suspects led to the disappearance of the custom variant of Zeus.
A year later, the FBI made a daring move to actually take over a massive botnet known as Coreflood that had infected more than 2 million computers around the world. Because the 13 suspects were located overseas in a region that made it unlikely the FBI would be able to apprehend them, the decision was made to actually take down the botnet.
“This was a watershed event for the U.S. government because this was the first time the U.S. government got involved in the business of taking over a botnet,” Grasso said.
Dell SecureWorks detailed an expert to the FBI who was able to reverse engineer the malware and develop a way to take it down. Likewise, Microsoft Corp. developed an update to its malicious software removal tool and pushed the update out on the same day the FBI took down the botnet.
The coordinated effort with industry reduced the number of infected computers within six months from more than 800,000 to about 2,000, according to Grasso.
A two-year FBI investigation code-named Operation Ghost Click resulted in the arrest of six Estonian hackers who had compromised millions of systems with malware called DNSChanger. But critical intelligence on the activities of the criminals was provided to the FBI over the course of five years by a host of private sector companies, including SpamHaus, PayPal, Trend Micro, and various U.S. and Canadian ISPs.
“We developed this great play where we were going to go out and arrest these guys and seize all of their servers,” Grasso said. But as the FBI was going through its checklists to make sure it had all of the evidence for a successful prosecution, agents realized there were still four million victims using the compromised Domain Name System (DNS) servers.
So the bureau took over the DNS servers and ran them for about eight months and relied on the private sector to help remove the malware. The result was a 75 percent reduction in infections in the U.S. and a 66 percent reduction globally, according to Grasso.
“By taking over this botnet … we were able to avert what could have been a disastrous situation on the Internet,” he said.
Earlier this year, the FBI launched Operation Tovar to disrupt two cybercrime schemes responsible for more than $100 million in losses to businesses and consumers around the world.
Working with European law enforcement agencies, including Europol, the Justice Department authorized the FBI to seize control of servers that ran the GameOver Zeus botnet. Predominately spread through spam email or phishing messages, the GameOver Zeus malware used stolen credentials to initiate or redirect wire transfers to accounts overseas controlled by the criminals.
GameOver Zeus was generating more than 1,000 domains every day and was “designed to be impervious to any law enforcement actions,” Grasso said. But the domain registrars helped FBI seize the domains, and a dozen ISPs in the U.S. and around the world helped with technical take-down of botnet.
“We’ve seen about a 50 percent reduction in the botnet globally … with 30 to 40 percent remaining in the U.S.,” Grasso said. “There’s still a lot of remediation work that needs to be done.”