Beebone takedown is only half the battle, warns OpenDNS

Following confirmation that the BeeBone botnet had been sinkholed last week, OpenDNS IT Pro – Owen Lystrup warns that this is just the first step in stopping these infected machines:

“While the difficult effort of stopping the botnet is complete, it is only the first step to ensuring security for those affected. The next, and perhaps more crucial, steps are to shutdown the servers involved and clean the infected endpoints. As we’ve seen before with cases like Kelihos, botnets can resurface after a dormant period.
“The interagency sinkhole essentially chops the botnet’s capability at its knees. However, unless they have been thoroughly cleaned, the endpoints compromised are still very much infected. The sinkhole merely means outbound traffic intended for what were formerly command and control (C&C) IPs will now get dropped. This result is positive. It means those infected machines will no longer receive instructions from a malicious server – for now.”

Dhia Mahjoub, senior security researcher at OpenDNS, has spent a great amount of time researching botnets – like Kelihos and Zbot, which have similar characteristics to Beebone. And he’s fully aware of the challenges involved with stopping them. “Sinkholes are good for telemetry, which will measure the extent of the threat,” he said. “Step two is for law enforcement to actually take down the involved servers, and to clean the endpoint machines.”

After the press release announcing the takedown, the OpenDNS security research team used the preliminary data to map the known infrastructure and compare it using its own unique view of DNS traffic on the internet. Analysis from OpenDNS shows traffic requests to these formerly malicious domains are still at very high levels. The continued significant traffic to these domains suggests that cleanup efforts have not been effective yet.

In conclusion, Dhia said, “Cleanup is incredibly difficult because the burden lies on the individuals using infected machines, or their ISPs. It’s a huge effort and very expensive. But without it, botnets can potentially pick up where they left off.”

A graph visualising this traffic is available here: