Quantumbot, Botnets and the NSA
Last week we learned from the Snowden Files that the NSA has a program known as Quantumbot; part of a larger project called Turbine. The purpose of Quantumbot is to take over idle, presumably criminal, botnets.
Now, when the security industry, usually in conjunction with law enforcement, ‘takes down’ (better described as ‘disrupts’) a criminal botnet, what it means is that it takes control of the botnet’s command and control servers. The infected computers, or bots, remain infected. By taking control of the C&C servers, the NSA in theory gains an immediate backdoor into all of the infected computers via the botnet’s established communication channels. With that backdoor, it can do what it wants – leave things as they are or upload its own stealth spyware and remove the original infection.
The document that Snowden has leaked describes Quantumbot as, ‘Highly Successful (over 140,000 bots co-opted).’ Thing is, even for 2007 (the date mentioned in the document in question), 140,000 represents a very small botnet. So, is Quantumbot not as successful as implied by the author? Has the project only just started? Or is something else going on?
We can assume that the project was in its early days. If it was successful, we can further assume that the NSA now has a backdoor into many more PCs. So our first task must be to look at the feasibility of the process. I spoke to Fraser Howard, security researcher at Sophos.
First I simply asked if it would be possible for the NSA to take over a taken down botnet. “In a regular (that is, non-P2P) callhome model, if ownership of the C&C is taken, then in theory full control of the botnet may be achievable,” he said. “If there is full knowledge of the ‘communication channel’ (the protocol being used, the relevant commands, etc), then the new ‘owner’ will be able to match the capabilities of the original criminal in charge of the botnet.”
So, yes, the botnet could initially be taken over on an as-is basis. There are riders of course. “The more sophisticated the communication channel, the trickier it could be to gain control – but ultimately, once the threat is fully reversed, and the communication is understood, it is achievable.”
The next question, then, is if a taken-down botnet comes back to life (now controlled by the NSA), would not the same security industry that discovered, monitored and eventually helped to take down the original botnet see it and know something is going on? In other words, If the NSA took over a botnet, would not the anti-virus companies be aware of it?
That depends, says Howard, on what the new owner does with the botnet: change the C&C server, change the malware installed, change the communications protocol and commands… “When you talk about the security industry noticing the botnet,” he explains, “you are essentially talking about the industry seeing some combination of malware activity on infected endpoints, and network traffic associated with the communication channels. If the new owners choose to use the same malware, without any changes to the communication channel and C&C address, then there may not be much visible change. Probably just a difference in how the botnet might be being used (and how visible that would be from inspection of the callhome traffic is questionable).”
We can assume, then, that the NSA is perfectly capable of co-opting idle botnets and hiding the process from general view. We know from other Snowden files that its TAO (Tailored Access Operations) group has access to an armoury of sophisticated malware. If criminal gangs can hide their presence on an infected network for months and even years, then we should assume that the NSA/TAO is capable of hiding its presence almost indefinitely.
And that leaves us with the relatively small number of ‘140,000 bots co-opted’. The reality, however, is that this could represent a ‘post-minimization’ figure. I believe we can assume that the NSA tries to avoid straightforward lies; although it clearly tries to disguise the truth. It repeatedly stresses that it does not spy on Americans unless they are a legitimate target; and that if any innocent Americans are caught up in its programs, it ‘minimizes’ any data held. I believe this to be true, although it probably doesn’t minimize as many as it implies. Add to that the political, constitutional, and legal problems that would arise if it is discovered that the NSA has installed or controls malware on the computers of innocent Americans, and it would be a risk too far.
It is probably a fair assumption that one way or another US bots are excluded from this figure. That means that by 2007, the NSA had control of 140,000 foreign computers – and that begins to look a bit more ‘highly successful’. If the program was maintained, there could by now be untold millions of non-US computers backdoored by the NSA through co-opting idle botnets – and that, if you are not an American, is more than a bit worrying.
As a postscript, when the Dutch police used the Bredo botnet C&C servers to distribute a warning message to the infected PCs, I was generally – shall we say – concerned. See here: Dutch Police infect users with trojan – legal or illegal; good thing or bad thing? for details. However, if the NSA really is co-opting criminal botnets for its own surveillance purposes, then maybe I should revisit my opinion; and hope that European law enforcement agencies can help victims cleanse their PCs before the NSA arrives. Assuming, of course, that the law enforcement agencies aren’t already working hand-in-hand with the NSA…