Takedowns of Zeus botnet command and control servers like the one executed last week byMicrosoft and others do reduce the criminal activity they spawn - for a while - but attackers learn from the experience and come back with more sophisticated techniques, a security expert says.
Eliminating the servers that issue commands and gather stolen data can stop a particular criminal enterprise temporarily, but without grabbing the people behind it, a new botnet is likely to emerge to replace the ones that are disabled, says John Pironti, president of IP Architects, LLC.
ANOTHER TAKEDOWN: International security team shoots down second Hlux/Kelihos botnet
"Adversaries will study how Microsoft did this and create ways to get around it in the future," he says. "They'll change their methods and practices and won't make the same mistake twice."
In fact, even as Microsoft grabbed servers that zombie machines were reporting back to with stolen banking data, criminals are already using more sophisticated means. Whereas the Zeus botnet employed a beacon reporting system in which drone machines report to a singleserver, newer botnets use command and control servers that are linked peer-to-peer to make discovery and takedowns harder, Pironti says.