Forgot your password?

Is the Botnet Battle Already Lost? 374

Posted by CowboyNeal
from the fighting-the-good-fight dept.
An anonymous reader writes "Researchers are finding it practically futile to keep up with evolving botnet attacks. 'We've known about [the threat from] botnets for a few years, but we're only now figuring out how they really work, and I'm afraid we might be two to three years behind in terms of response mechanisms,' said Marcus Sachs, a deputy director in the Computer Science Laboratory of SRI International, in Arlington, Va. There is a general feeling of hopelessness as botnet hunters discover that, after years of mitigating command and controls, the effort has largely gone to waste. 'We've managed to hold back the tide, but, for the most part, it's been useless,' said Gadi Evron, a security evangelist at Beyond Security, in Netanya, Israel, and a leader in the botnet-hunting community. 'When we disable a command-and-control server, the botnet is immediately re-created on another host. We're not hurting them anymore.' There is an interesting image gallery of a botnet in action as discovered by security researcher Sunbelt Software."
This discussion has been archived. No new comments can be posted.

Is the Botnet Battle Already Lost?

Comments Filter:
  • by thesoffish (852987) <> on Tuesday October 17, 2006 @12:17AM (#16463617) Homepage
    Why not just physically unplug your computer from the network?
  • by Anonymous Coward on Tuesday October 17, 2006 @12:28AM (#16463717)
    and then you open yourself to a DoS attack where the botnet purposefully causes a domain to be blacklisted.
  • A modest proposal (Score:5, Insightful)

    by caitsith01 (606117) on Tuesday October 17, 2006 @12:30AM (#16463725) Journal
    I am no expert in this area, but a thought occurs.

    Why isn't it possible to simply identify the exploit being used to spread a particular botnet, and write software that uses the same exploit to travel throughout the net before activating (perhaps at some specific time) to both wipe out the botnet software and seal off the exploit?

    It seems that as soon as you have the original botnet software, re-engineering it for this purpose would be relatively trivial. Plus there would be the immense satisfaction of fighting fire with fire. The software could even remove itself as its final act, saying "I know now why you cry, but it is something I can never do" (although someone else might have to press the button to lower it into molten metal - "I cannot self-terminate").

    The only reason I can think that this wouldn't work is that the 'antidote' software would be breaching computer security all over the place - basically doing the precise thing we are trying to stop. However, surely some sort of 'good samaritan' clause could be worked into the law - or the government could adopt responsibility for this process, or at least for pushing the button that sets each counter-botnet loose in the wild.

    Of course this may already be the approach taken - I don't know much about the field, as I say.
  • by linuxbert (78156) on Tuesday October 17, 2006 @12:32AM (#16463731) Homepage Journal
    If you your self won't work like that, then don't waste time suggesting it. these measures are really nothing more then window dressing designed to give the apperance of security. I would hazard a guess that more corporate security people are worried about data theft via usb drives, then they are about becoming part of a botnet.
  • by Dunbal (464142) on Tuesday October 17, 2006 @12:32AM (#16463741)
    Basically this is a problem with people owning computers who don't know how to maintain them properly

          The cry of "I know, let's invent a computer that is smart enough to maintain itself!" was heard in the boardroom, and thus SkyNet was born - with the dual mission of perfecting itself and eradicating the useless humans that weren't even able to maintain it!
  • by swordgeek (112599) on Tuesday October 17, 2006 @12:42AM (#16463803) Journal
    The so-called botnet battle is no different than the war on spam or the anti-virus front, or any of the others.

    It's not a failure of technology. It's BAD PEOPLE, exploiting BAD SOFTWARE, who aren't being dealt with because of BAD EXECUTION of BAD LAWS. Fix the software, the law, and the enforcement of the law (esp. jurisdiction), and you'll neutralise 95+% of the bad people.

    This crap is criminal. Crimes like this are sheltered by discussions about philosophy, politics, jurisdiction, and technology. If people would stop discussing and arguing, and start working together on the problem, it could be eliminated in under 24 months.

    But convincing people to work together is impossible, so we might as well get used to it.
  • by PhiRatE (39645) on Tuesday October 17, 2006 @12:46AM (#16463831)
    The simple problem with the fight against botnets is that it's asymmetric, and not in our favor. The bots are in a place that is particularly difficult for someone attempting to dismantle the network to reach, the property of someone else. It's not the technical problems that make a botnet so difficult to dismantle, but the legal ones.

    The botnet creators don't give a damn, their objective involves breaking the law (where there is one) in order to hijack someones computer. Someone attempting to destroy the botnet is likely to be atempting to operate within the law, which requires notifying and enlisting the support of the owners of the compromise machines, many of which:

    a) are difficult or impossible to contact
    b) don't speak your language
    c) don't understand anything about the problem
    d) don't care

    Any single instance of a botnet may have weaknesses that permit its demise without running into potential legal problems (such as a poorly-secured disable command), however botnets as a concept have no real theoretical weakness given the appropriate cryptography and care of construction. Decentralised, failure resistant networks of cooperating nodes is a well researched area and at the level botnets operate, barely constitute a challenge to anyone with the necessary knowledge of protocols, cryptography and programming.

    They're here to stay, there is no practical non-desperate legal changes or technical tricks which will kill the concept entirely. Even if the general level of internet security increased 10-fold, there'd still be more than enough vulnerable computers to support botnet operators, and lets face it, that level of security change is not going to happen. Even if the general OS level improves, old and embedded (non-patchable) devices are still plentiful, and there will be more no-patch applicance like systems in the future which will continue to be exploited.

    As a systems administrator or someone otherwise concerned with the impact, the rules are simple. Stay patched, Stay vigilant. If a large botnet decides to get you, hope your ISP subscribes to something like tipping-point that will give them a head start on deflecting the inbound traffic. That's about it.
  • by Geoffreyerffoeg (729040) on Tuesday October 17, 2006 @12:49AM (#16463845)
    Attachments are converted to .odf or .png, as appropriate.
    There are many applications which require macros to be present in Word documents. If you translate the macros to ODF's format (does it even support macros?), you've gained nothing. If you don't, you've caused confusion for many customers. And as far as converting images, how do you ensure the buffer overflow (or worse, the WMF arbitrary-code loophole in the specification - this wasn't technically a bug in the parser) isn't present on the firewall itself? I would think a rooted client machine is much better than a rooted firewall.

    No more "Web 2.0"; those sites just stop working.
    There are quite a few Web 1.5 sites that critically depend on JS, Flash, Java, etc. Facebook loses a lot if you even have just a partial JS interpreter (and I have seen it happen), and Facebook's coding is arguably not 2.0. Yahoo passwords lose a lot of their security if you disable JS, because then you can't do any sort of key challenges - you have to send the password itself, HTTPS or not. Etc.

    Web browsing to secure sites via SSL is only permitted if the site has a SSL cert that is a high-grade "we really know who this is" cert.
    You have locked out many universities (MIT is a major one; OU and UL also come to mind) that do not feel like paying a 3rd-party commercial company to certify their identity when they can just pass out root certificates.

    TCP port 80 is all you get outgoing. Incoming, forget it. UDP, forget it. If you want to message, use the phone.
    Wonderful. No e-mail. No file sharing. No VPNs. No intranets. Web-only is fine for home users on AOL. Home users who do anything else, and corporate users, need other ports.

    Your internet-café machines are far more usable than your "normal use" machines at this point.
  • by bcrowell (177657) on Tuesday October 17, 2006 @01:14AM (#16463981) Homepage

    However, maintaining my WinXP machines consists of checking the radio button labelled "Automatic (Recommended)" in the Automatic Updates dialog. It's not difficult, it's not expensive and it's not time-consuming.
    A serious question, then: what do you think makes your outcome different from the outcome experienced by the people who are getting their machines owned? I don't know the answer, because I don't run Windows, but I could speculate:

    Is it because they intentionally download stuff that infects their machine with spyware? If so, then maybe security is too difficult for them, because they aren't technologically sophisticated enough to realize that this is a bad idea, and maybe MS is helping to make it too difficult for them, by creating a culture where it's normal for every user to run with unlimited privileges.

    Another possibility is that they aren't sophisticated to realize that the simple, commonsense measures you've taken (a router/firewall, doing updates) would be more sensible than measures such as buying anti-virus software, or taking their computer to Circuit City to get it fixed when it "gets slow."

    I think the real problem is that a lot of people own more computer than they need. All they really need is a word processor, e-mail, and a web browser. They really don't need a general-purpose computer at all, and don't have the skills needed to maintain one. They might be better off with an internet appliance, or a thin client. The problem is that they don't understand how much they don't understand. It's like the people who have to own a Harley Davidson because it's cool, even though it's an utterly impractical motorcycle for what they want to do.

  • larger battle (Score:5, Insightful)

    by Tom (822) on Tuesday October 17, 2006 @01:25AM (#16464053) Homepage Journal
    This isn't a battle for/against botnets. They're just the symptoms. What this really means is that the battle to have secure home PCs is lost. I won't even get into the Windos vs. Real OS discussion. The point is deeper still: Our homes are safe from burglars because those with the great skills and expert tools don't break into homes, they break into banks.
    Not so on the Internet. Due to automation you can play the numbers game, and taking over 100,000 machines is feasable, less risky yet possibly just as profitable as breaking into one bank.

    The best non-computer equivalent I can think of is the plague. Welcome to the crowded cities of the middle ages. Even if you, personally, are safe, you're still affected. Think about it.
  • by taylortbb (759869) <.taylor.byrnes. .at.> on Tuesday October 17, 2006 @01:44AM (#16464209) Homepage
    I must agree with you that people intentionally download things that will harm their machine. I do computer support and I have had more than one client say "But the included smilies aren't good enough, why did you remove my other ones?" after they ask me to make their machine run faster. As long as spyware/adware/botnet software can be distributed with "free" software that users want the problem isn't going anywhere. Once Vista arrives the UAC stuff will help with remote exploits but people wont understand the importance of that "Enter your password to continue" screen and will happily do it if it gets them some new smileys. This is how Linux is so secure, most users understand the importance of their root password and would never enter it into the brower, other than during the initial install.

    On a corporate system where users don't have admin access botnets aren't much of a problem. But on home machines were every user has admin no technological measures will help as long as they can be lowered. As a power user I want to keep my own machine but for many users a subscription PC would be the best idea. They pay per month, don't have admin, and an admin employed by the company you rent the machine from takes care of security. It would be like extending the corporate world into the home. People don't care about security and they're not going to start anytime soon, they don't understand the connection between those smileys and the spam in their inbox.

    It's not surprising people can't fix their own machine, how many people can fix their own car? How many people can even change the oil in their own car? The other option would be for computers to be more like cars. People don't install things in their car, and if they want something installed they take it to the dealer. That would work for most people, pick the software you want with the machine, and take it to authorized service center when you want upgrades. There are people that install things in their own cars, just like there will be people that buy non-locked PCs, but users want easy above all else and if a company could do that by pre-installing everything I think most users would get it.

    The botnet problem wont dissapear but it can be significantley reduced so it wont be a problem.
  • by Animats (122034) on Tuesday October 17, 2006 @02:25AM (#16464461) Homepage

    It's going to hurt. It's going to be painful. But when you're losing a war, you have to take defensive steps that work.

  • by billstewart (78916) on Tuesday October 17, 2006 @03:44AM (#16464809) Journal
    Anything positive you can do to improve computer security by writing a vulnerability-checking bot, you can also do by writing a scanner tool that a legitimate administrator or user can use to check their systems, and the scanner can do it in a way that doesn't overwhelm network resources, doesn't lead to the vulnerable machines you found creating an exponentially increasing number of probes checking other machines causing the checker and checkee machines and the network to grind to a halt, (doesn't decide to run off hunting Sarah Connor), and in general doesn't cause serious headaches for the system admins or the users, and if it has problems (which there's a good chance it does, especially because the targets you're hunting keep changing in malicious ways), you can turn it off, fix the bugs or adjust the features, and start again.

    Want to find and fix any infected machines at work? Build a tool for your sysadmins to find them with, do an audit of the machines that need cleaning to find the *other* things wrong with them as well as identifying those that are running potentially critical activities that need to be salvaged carefully instead of by scorched-earth, and let them use whatever tools are appropriate to fix the holes it finds.

    Want to find and fix the buggy machines on your cable-modem company's network? Build the tool and sell it to them, or give it to them and teach them how to run it. Don't go looking like Yet Another Zombie-Master who's trying to maintain some pretense of legitimacy - if you're going to be legit, be legit, and if your cable company's too clueless to accept your 1337-k3wl program, then build a different program to block packets from your fellow customers or get yourself an ISP that's clueful enough that they don't need your program.

    Want to fix the buggy machines in Korea or the spammer-friendly hosting in China? Go ahead, make their day, but don't tell them *I* said it was a good idea.... And besides, it's really easy to blackhole-route them so you and any machines you control simply don't get packets from there and can't send packets back.

  • by Technician (215283) on Tuesday October 17, 2006 @04:59AM (#16465189)
    I work at a hospital. Sometimes I wonder whether our computers really are as secure as they should. All the computers have AVG installed, but is there something else I can do to check?

    Set a network switch or hub right behind your keyboard so you can see the status lights. If it seems a little busy when you are not doing anything, somebody may be using your computer remotely. I think more computers need the NIC status lights on the front of the monitor, not the back of the PC.
  • by gbjbaanb (229885) on Tuesday October 17, 2006 @06:05AM (#16465549)
    and will happily do it if it gets them some new smileys. This is how Linux is so secure,

    No, Linux is more secure because you don't get those smiley packs for it. That and Linux users aren't generally using it for the smileys and assorted mass-consumer crap that is targetted at Windows users.

    However, if someone produced a tool that the average linux user wanted to use (say, for example a new fancy bittorrent client) that contained some kind of malware, you'd start to see the exact same problems that the windows users have - that you end up deliberately installing the malware. The security risk here is the human aspect, if the attackers find the right buttons to push for linux users, they'll own you just as easily.

    That's just for consumers, admins can be just as bad - I read a web-hosting forum, the number of "my server was hacked and I don't know what to do" posts is appalling, as is the number of questions like "is there any webhost that allows IRC servers?".
  • by The Famous Brett Wat (12688) on Tuesday October 17, 2006 @09:16AM (#16467105) Homepage Journal
    This hurts users when their machines are compromised, encouraging them to secure their systems.

    Or to change ISPs. Or to call the support number, resulting in increased costs for the ISP. It still seems to be in the ISP's rational economic self-interest to ignore bots on their own network.

  • by Hasai (131313) on Tuesday October 17, 2006 @09:23AM (#16467217)
    Trying to stop botnets by taking-down servers is like trying to stop rock-throwing by confiscating rocks.

    An exercise in futility.

    You stop rock-throwing by going after the throwers. If these propeller-heads would stop playing with their toys long enough to spend fifteen minutes talking to the nearest cop they would realize this.

    Ignore the silly botnets and invest the resources to find and punish their creators. Criminal behavior declines only when there is substantial risk of substantial punishment. Until that risk exists, you're just wasting everyone's time.

    'Nuff said.
  • by 99BottlesOfBeerInMyF (813746) on Tuesday October 17, 2006 @12:20PM (#16470937)

    Trying to stop botnets by taking-down servers is like trying to stop rock-throwing by confiscating rocks.

    Or, install shutters on your Windows so you can ignore the rock throwing and hire a security guard to go shoot the rock throwers or drive them off.

    If these propeller-heads would stop playing with their toys long enough to spend fifteen minutes talking to the nearest cop they would realize this.

    The cops often can or will do little in these instances. A lot of the time botnets are rented out by the hour overseas.

    Criminal behavior declines only when there is substantial risk of substantial punishment.

    Actually, studies have shown that risk of punishment is not the most effective way to reduce criminal behavior. Criminals act out of desperation or believe for some reason they won't be caught, or simply think the risk is justified, even when it is often an irrational belief. The risk/reward for being a crack dealer or devoting yourself to pro basketball are both absurd, but there is no shortage of people who try anyway.

    Ethical/moral reasons are actually the best way to motivate a decrease in crime. The vast majority of people will not commit crimes if they don't feel justified in so doing. In fact the number on correlation between rates of robberies and another observed factor is wage disparity. If because of circumstances of birth one person is making billions and another going deeper in debt every year despite the fact that the latter works harder and is smarter than the former, well the latter person feels justified in turning to crime.

    The problem here is simply globalization has made "neighbors" of people with vast wealth disparity. Americans happen to have been born into relative wealth despite being not as intelligent or as dedicated of workers as the self-taught computer programmer in Czechoslovakia. So he feels no ethical obligation to not build a botnet that exploits them. Threat of criminal punishment is a factor, but a pretty minor one.

    Sadly, this does not present any easy solutions for this problem aside from making computers harder to exploit in the first place, but since we don't have a competitive market for desktop OS's, which is the weak link, I don't expect that to be fixed anytime soon. Break up MS into multiple companies and give at least two of the the rights to all the Windows code to date. forbid them from collaborating and enforce it. The botet problem will be eradicated in 3 years on all new computers.

The closest to perfection a person ever comes is when he fills out a job application form. -- Stanley J. Randall