IT Security As Theater
In a recent presentation at the RSA Conference (RSA is now the security division of EMC), presenter Tillmann Werner took down the Kelihos botnet during his talk. Gutsy move!
Tillmann Werner says that he consulted international agencies such as the FBI about his plans and that he also took legal advice. The researchers plan to provide the authorities and the Shadowserver Foundation with the IP addresses of the infected servers that connected to the sinkhole as soon as possible to ensure that victims' ISPs can be notified.
How long this blow will keep the botmasters from pursuing their criminal activities is an entirely different question: when the previous version, Kelihos.b, was taken down, Werner said that it only took 20 minutes before the now disabled successor, Kelihos.c, had grown to 40,000 zombie PCs. The researcher plans to announce the size of Kelihos.c at the time it was taken down in a blog post over the next few days.