The Web’s Bot Containment Unit Needs Your Help

Anyone who’s seen the 1984 hit movie Ghostbusters likely recalls the pivotal scene where a government bureaucrat orders the shutdown of the ghost containment unit, effectively unleashing a pent-up phantom menace on New York City. Now, something similar is in danger of happening in cyberspace: Shadowserver.org, an all-volunteer nonprofit organization that works to help Internet service providers (ISPs) identify and quarantine malware infections and botnets, has lost its longtime primary source of funding.

Image: Ghostbusters.

Shadowserver provides free daily live feeds of information about systems that are either infected with bot malware or are in danger of being infected to more than 4,600 ISPs and to 107 national computer emergency response teams (CERTs) in 136 countries. In addition, it has aided the FBI and other nations’ federal law enforcement officials in “sinkholing” domain names used to control the operations of far-flung malware empires.

In computer security lexicon, a sinkhole is basically a way of redirecting malicious Internet traffic so that it can be captured and analyzed by experts and/or law enforcement officials. Typically, a sinkhole is set up in tandem with some kind of legal action designed to wrest control over key resources powering a malware network.

Some of these interventions involving ShadowServer have been documented here, including the Avalanche spam botnet takedown, the Rustock botnet takeover, the Gameover malware botnet seizure, and the Nitol botnet sneak attack. Last week, Shadowserver was instrumental in helping Microsoft kneecap the Necurs malware network, one of the world’s largest spam and malware botnets.

Image: Shadowserver.org

Sinkholing allows researchers to assume control over a malware network’s domains, while redirecting any traffic flowing to those systems to a server the researchers control. As long as good guys control the sinkholed domains, none of the infected computers can receive instructions about how to harm themselves or others online.

And Shadowserver has time and again been the trusted partner when national law enforcement agencies needed someone to manage the technical side of things while people with guns and badges seized hard drives at the affected ISPs and hosting providers.

But very recently, Shadowserver got the news that the company which has primarily funded its operations for more than 15 years, networking giant Cisco Systems Inc., opted to stop providing that support.

Cisco declined to respond to questions about why it withdrew funding. But it did say the company was exploring the idea of supporting the organization as part of a broader support effort by others in the technology industry going forward.

“Cisco supports the evolution of Shadowserver to an industry alliance enabling many organizations to contribute and grow the capabilities of this important organization,” the company said in a written statement. “Cisco is proud of its long history as a Shadowserver supporter and will explore future involvement as the alliance takes shape.”

To make matters worse, Shadowserver has been told it needs to migrate its data center to a new location by May 15, a chore the organization reckons will cost somewhere in the neighborhood of $400,000.

“Millions of malware infected victims all over the world, who are currently being sinkholed and protected from cybercriminal control ​by Shadowserver, may lose that critical protection – just at the time when governments and businesses are being forced to unexpectedly stretch their corporate security perimeters and allow staff to work from home on their own, potentially unmanaged devices, and the risk of another major Windows worm has increased,” Shadowserver wrote in a blog post published today about their financial plight.

The Shadowserver Foundation currently serves 107 National computer emergency response teams (CERTs) in 136 countries, more than 4,600 vetted network owners and over 90% of the Internet, primarily by giving them free daily network reports.

“These reports notify our constituents ​about millions of misconfigured, compromised, infected or abusable devices for remediation every day,” Shadowserver explained.

The group is exploring several options for self-funding, but Shadowserver Director Richard Perlotto says the organization will likely depend on a tiered “alliance” funding model, where multiple entities provide financial support.

“Many national CERTs have been getting our data for free for years, but most of these organizations have no money and we never charged them because Cisco paid the bill,” Perlotto said. “The problem for Shadowserver is we don’t blog about our accomplishments very frequently and we operate pretty quietly. But now that we need to do funding it’s a different story.”

Perlotto said while Shadowserver’s data is extremely valuable, the organization took a stance long ago that it would never sell victim data.

“This does not mean that we are anti-commercial sector activities – we definitely believe that there are huge opportunities for innovation, for product development, and to sell cyber security services,” he said. “Shadowserver does not seek to compete with commercial vendors, or disrupt their business models. But we do fundamentally believe that no-one should have to pay to find out that they have been a victim of cybercrime.”

Most immediately, Shadowserver needs to raise approximately $400,000 by the end of this month to manage the migration of its 1,300+ servers out of Cisco’s California data center into a new facility.

Anyone interested in supporting that migration effort can do so directly here; Shadowserver’s contact page is here.

Update 10:46 a.m., ET: Added comment from Cisco.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *