Breaking Up a Botnet – How Ramnit was Foiled

In the online world, crime is rife. Criminals no longer have to be lurking in your neighborhood in order to cause trouble. Nowadays, they can cheat, steal and deceive from the other side world with little more than an Internet connection and a few clicks of a mouse. This makes them hard to detect and even harder to catch.

The socio-economic threat posed by cybercriminal activity is immense. Surveying the cyberthreat landscape in 2014, the European Union Agency for Network and Information Services (ENISA) declared that never before had they seen such a wide range of change: from massive data breaches and increasingly complex attacks able to evade security defenses, to direct attacks on vital internet security functions. These assaults on Europe’s cyberdefenses currently cost the EU economy an estimated €750 billion every year.

One major obstacle to tackling cybercrime is that as fast as law enforcement defeats one illicit method, another emerges to take its place. And in the ever-evolving arsenal of tools cybercriminals have at their disposal, one in particular stands out for its stealth:  the botnet, which is most probably the number one tool powering large scale attacks on the Internet.

This term describes a network of computers infected with malware via a mobile device, an email, an email attachment, the sharing of infected files, or a visit to an infected website. And computers which aren’t using up-to-date, legitimate software or anti-virus or malware protection are more likely to become infected. The malware allows criminals to take control of multiple infected computers at a distance, through one or more command and control (C&C) servers. They can then steal personal and banking information, undermine antivirus software or disable automatic security updates; all without the computer users’ knowledge.

With a botnet, criminals are able to access and control not just one computer, but millions worldwide at the same time, making them capable of illicit activity on a massive scale. To add to the challenge, botnet developers often build defensive mechanisms into their malware, meaning they can move the location and nature of their command and control servers at a moment’s notice.

ENISA currently ranks botnets as one of the top 15 threats to European cybersecurity. In 2014, they accounted for 34% of all cyberattacks. However, in the same period, the number of computers infected by botnets dropped from around 3.5 million to 2.3 million, showing that efforts to detect and disable such networks are working. ENISA notes that this is thanks to globally coordinated action between law enforcement, industry and governments.

One such instance of coordination in action occurred on 24 February, when Europol’s Cybercrime Centre (EC3) led an international campaign against the Ramit botnet, which was primarily aimed at harvesting credentials such as online banking log-ins, passwords and personal files. This particular botnet had infected 3.2 million computers worldwide.

Microsoft took part in the takedown, alongside other industry partners Symantec and AnubisNetwords, by assisting Europol and national investigators from Germany, Italy, the Netherlands and the UK with shutting down the C&C servers and redirecting 300 Internet domain addresses used by the botnet’s operators.

In the lead up to the takedown, malware investigators from Microsoft’s Digital Crimes Unit (DCU) – a group of international legal and technical experts focused on disrupting malware crimes, shoring up Internet security, and protecting vulnerable populations online – devoted significant time and resources to understanding exactly how the Ramnit botnet worked, using cloud-based data analytics tools.

It turns out that the efficiency of a botnet is also its downfall. Once connected, computers infected with the Ramnit malware sent hundreds of thousands of messages to the overarching C&C server, asking for instructions about what crime to commit next. But these kinds of messages leave a footprint, in the form of an electronic trace that the DCU was able to detect, ingest, analyze and visualize using parts of the Microsoft Internet of Things (IoT) suite such as Power BI, Event Hubs, and HDInsight.

The strength of these tools lies in instant insight. During the botnet takedown, the use of Event Hubs to collects and analyze infection data in near real-time meant that Microsoft was able to instantly see the number of infections and track progress on malware and botnet disruption.

Event Hubs instant insights

Data makes for smarter, more efficient cybercrime-fighting. Sharing those data insights enables law enforcement to lead successful operations and better protect critical computer infrastructures. Policymakers are increasingly aware of the need for increased cooperation to tackle cybercrime, and as part of its Digital Single Market strategy, the European Commission intends to propose a Public-Private Partnership on cybersecurity in early 2016.

It’s vital that a modern  international cooperation and information-sharing framework involving industry, customers and law enforcement is created, to understand how cybercriminals operate and how to more effectively stop them in their tracks. Only then can we ensure that Europe’s digital defenses remain robust, watertight and able to handle whatever the online criminal underworld throws at them next.