January 2021 – in one of the biggest operations of recent times, police in eight countries seized 700 command and control (C2) servers used by a botnet called Emotet, cutting it off from the reported 1.6 million computers it has infected since last April.
Nicknamed Operation Ladybird, the police forces involved – Europol, the FBI, and Britain’s National Crime Agency – were understandably delighted with their work. Within hours, one of cybercrime’s most intractable malware delivery systems had been severely dented and perhaps put out of operation forever.
Are we now a lot safer?
Rather like drug seizures in conventional policing, high-profile botnet takedowns are an example of a news story which makes the public feel as if a blow has been struck. In both cases, the public isn’t entirely wrong – disrupting a botnet’s infrastructure is always a good thing because it halts the flow of damaging malware they distribute. The important caveat is what happens next.
The evolution of botnets
First detected in 2014, Emotet was one of a new generation of online banking Trojans distributed using malicious email attachments and links. The key to its success was the way it was developed like a conventional software product, rapidly distributing successive versions targeting numerous banks while adding sophisticated features that blunted detection. Eventually, Emotet started operating like a botnet – a network of infected machines – as a way of distributing not only banking Trojans, but any payload. This was recently taken to its logical conclusion and Emotet morphed into something resembling a software platform offering this multipurpose capability as crime-as-a-service where its makers earn commission for every successful infection.
Emotet’s speciality was infected attachments, especially Word documents. This is a good choice because it’s nearly impossible to block because doing so would halt most invoicing, discussion papers, policy documents, and shipping notices. Cleverly, the emails would come as replies to established email threads from known contacts, which also made it easier to persuade targets to enable macros, triggering the malware. Door opened, Emotet would gather profile data about its victim, helping the criminals decide what specific malware payload to deliver, often ransomware.
Despite going quiet for periods, police say it’s generated millions of dollars for its creators. Botnets are traditionally measured by counting the number of computers they infect and control at any one time, but this can be misleading. A better yardstick is the damage done, and on that score Emotet is among the worst crimeware systems in the world, prominent in numerous malware attacks on companies, universities, schools, and even whole city administrations.
Botnets have been taken down before
Ever since they emerged around 20 years ago to distribute spam, botnets have been public enemy number one for police forces, and it’s not hard to see why. As well as being important infrastructure for online crime, they make inviting targets for intervention. Usually, the only chance to stop malware is when it appears at the endpoint, but this has proved unreliable to say the least. A better alternative is to track and disrupt the botnet systems used to distribute malware in the first place.
An early tactic was to contact the owners of computers that were part of botnets, the approach taken by the FBI’s Operation Bot Roast in 2007, which identified one million victims by their IP addresses. This was ineffective because the botnet controllers could infect new computers faster than the old ones could be cleaned. What it did establish, however, was the basis for anti-botnet cooperation between police forces and tech companies across jurisdictions. That allowed police to move on to more ambitious operations such as 2011’s Operation Ghost Click, which took over the infrastructure of the DNSChanger advertising botnet. Designed to route infected computer’s traffic through rogue DNS servers (the servers which resolve Internet domains in web browsers), this had to be shut down carefully over a period of months so that surprised victims weren’t simply cut off.
Operation Ghost Click was described as the “biggest cybercriminal takedown in history.” This seemed fair at the time – unusually several individuals were arrested and prosecuted for setting it up – but the triumphalism was premature; botnets continued to thrive and grow. More anti-botnet operations have followed, for example against ZeroAccess in 2013, Gameover Zeus a year later, and the more recent takedowns of Necurs and Trickbot in 2020.
Recurring themes have included the involvement of Russian cybercriminals and a reliance on Microsoft’s Digital Crimes Unit (DCU) for botnet intelligence and legal expertise. But the biggest theme of all is simply that none of these actions has ever delivered a knockout blow. A botnet was disrupted, leaving other cybercriminals to exploit the vacuum as a competitive advantage. It could be that botnet criminals evolved to dodge the takedowns with more resilient Command and Control systems or simply that there are too many botnets in the first place for any one takedown to make much of a difference.
What happens next?
The action against Emotet might sound like a version of previous botnet busts, but there are intriguing differences. Not all the details have yet been released but it appears that the police and tech companies aren’t simply seizing the botnet’s servers and making a few arrests but instead they are using it to upload software updates that will remove the botnet from infected computers by 25th March. This is unusual but also complex for legal and technical reasons. The pay-off is that it should make it impossible for the botnet operators to contact the infected systems using a reconstituted Emotet 2.0, which means there’s a reasonable chance Emotet is gone for good. If that interventionist model is a template for future anti-botnet operations, the Emotet takedown could be a botnet operation everyone remembers.
How can you avoid becoming a victim of a botnet?
Undoubtedly, organisations should be taking the risks from botnets very seriously, but there are measures you can take to significantly reduce the risks. These include:
- security policies that control what email users can do from their inboxes
- endpoint patching
- ensuring you have a security team that knows how to look for the symptoms of infection.
Obtaining certification such as Cyber Essentials, Cyber Essentials Plus or ISO 27001 would help to provide confidence that your security measures are sufficient or highlight any areas of weakness before they become a problem.
In conclusion
Each botnet has its own indicators of compromise (IoCs), which in Emotet’s case includes a known set of IP addresses for its Command and Control system. At some point, more detail will become available and it should make essential reading for security staff looking to plan their organisation’s response. It’s not clear how the authorities will go about cleaning infections but we expect that SMEs involved will be contacted by local police forces.
As in the past, other botnets will fill the gap left by Emotet, learning as much from its downfall as our authorities do. Therefore, whilst this operation was a good day for cybersecurity it will not be the last action in a war that’s gone on longer than anyone expected two decades ago.
