Bulletproof servers foil botnet/malware takedowns

Check Point security innovations manager Tomer Teller says that the last two botnet/malware hosting operations his team worked with - in cooperation with the FBI and other parties - failed due to the use of bullet-proof hosting facilities by the cyber-criminal gangs concerned.

Third time's a charm for reborn Asprox botnet
Third time's a charm for reborn Asprox botnet

"The last few takedowns I was involved with failed. We could not release details to the press, largely due to the use of bullet-proof servers," he told an audience in Barcelona on Wednesday.

Teller - who was speaking in a panel session at a Check Point partner conference - explained that the FBI could not gain access to the servers, meaning that the server take-down(s) could not take place.

During the panel session, Dan Wiley, Check Point's senior security consultant, said that resolving the current security challenges posed by cyber-criminals cannot be solved by technology alone.

"There is the human element involved here. We need to tackle these issues. Law enforcement (agencies) need to react in real time," he said, referring to the fact that most high-profile investigations and server take-downs require meticulous planning.

Christian Christiansen, IDC's programme vice president for security, agreed with Wiley's comments, noting the need for legal professionals to become involved in internal investigations, and to make decisions on whether to call in external law enforcement assistance where it is required.

"Lawyers must get involved immediately. The legal team can then decide when to talk to the law enforcement organisations," he explained.

Attack methodologies, APTs and air gap attacks

Teller said that, in his experience of investigating security attacks, admin privileges are a common attack vector used by cyber-criminals.

"Harvesting credentials then takes place relatively slowly. Hackers have a wide variety of technology [at their disposal] and they also have time to carry out their attacks," he said.

IDC's Christian Christiansen said he questioned whether there is really an APT attack vector as such.

"It depends on what you mean by an APT. It's a group of attack processes that we may have not seen before. The process is a lot more important than the complete picture," he said, adding that he also remains skeptical on the subject of so-called air gap attacks.

Air gap security - aka air walling - is a security measure that consists of ensuring that a secure computer network is physically isolated from unsecured networks, such as the Internet or an insecure LAN within an organisation. The security measure is often used for IT systems that form part of the critical national infrastructure, SCMagazineUK.com notes. 

Christiansen said that air gap attacks are actually not that new, as the security technology - and attacks - have been around for a long time.

If you think about the earliest malware, he added, the code was often spread between machines using floppy disks, even though the computers concerned were effectively 'air gapped' from each other. Floppy disk propagation, he explained, was a perfect air gap attack.

Teller, meanwhile, told the audience that air gap attacks are still a theoretical method of attack, as he and his team have not seen this type of attack being used in the wild.

Sign up to our newsletters