On the arms race around botnets - Setting up and taking down botnets

Botnets are a well-recognized and persistent threat to all users of the Internet. Since the first specimens were seen two decades ago, botnets have developed form a subject of curiosity to highly sophisticated instruments for illegally earning money. In parallel, an underground economy has developed which creates hundreds of millions of euros per year in revenue with spamming, information theft, blackmailing or scare-ware. Botnets have become a high-value investment for their operators that need to be protected from law enforcement agencies or the anti-botnet community. Security researchers and companies trying to keep them within bounds are facing the very latest in spreading and defense techniques. Hundreds of thousands of new malware samples per month pose an immense challenge for AV companies. Specialized countermeasures against botnets have evolved along with botnet technology, trying to bring them down by targeting the root of every botnet: its command-and-control structure. This leads to an ongoing arms race between botnet developers and their operators vs. security experts. So far the former have the upper hand. Based on the analysis of multiple botnet takedowns and the in-depth investigation of various botnet architectures conducted by the authors, this paper provides an analysis of the efforts needed to acquire and set up a botnet. This is followed by a comparison of selected significant botnet countermeasures, which are discussed with regard to their required resources. Legal and ethical issues are also addressed, while a more thorough discussion of these will be left for future work.