Is the Botnet Battle Already Lost? 374
An anonymous reader writes "Researchers are finding it practically futile to keep up with evolving botnet attacks. 'We've known about [the threat from] botnets for a few years, but we're only now figuring out how they really work, and I'm afraid we might be two to three years behind in terms of response mechanisms,' said Marcus Sachs, a deputy director in the Computer Science Laboratory of SRI International, in Arlington, Va. There is a general feeling of hopelessness as botnet hunters discover that, after years of mitigating command and controls, the effort has largely gone to waste. 'We've managed to hold back the tide, but, for the most part, it's been useless,' said Gadi Evron, a security evangelist at Beyond Security, in Netanya, Israel, and a leader in the botnet-hunting community. 'When we disable a command-and-control server, the botnet is immediately re-created on another host. We're not hurting them anymore.' There is an interesting image gallery of a botnet in action as discovered by security researcher Sunbelt Software."
If you're gonna go to all that trouble . . . (Score:5, Insightful)
Re:We need a trusted network of ISPs (Score:1, Insightful)
A modest proposal (Score:5, Insightful)
Why isn't it possible to simply identify the exploit being used to spread a particular botnet, and write software that uses the same exploit to travel throughout the net before activating (perhaps at some specific time) to both wipe out the botnet software and seal off the exploit?
It seems that as soon as you have the original botnet software, re-engineering it for this purpose would be relatively trivial. Plus there would be the immense satisfaction of fighting fire with fire. The software could even remove itself as its final act, saying "I know now why you cry, but it is something I can never do" (although someone else might have to press the button to lower it into molten metal - "I cannot self-terminate").
The only reason I can think that this wouldn't work is that the 'antidote' software would be breaching computer security all over the place - basically doing the precise thing we are trying to stop. However, surely some sort of 'good samaritan' clause could be worked into the law - or the government could adopt responsibility for this process, or at least for pushing the button that sets each counter-botnet loose in the wild.
Of course this may already be the approach taken - I don't know much about the field, as I say.
Re:We need a really big lawsuit against Microsoft (Score:4, Insightful)
Re:Maybe I'm being complacent, ... (Score:4, Insightful)
The cry of "I know, let's invent a computer that is smart enough to maintain itself!" was heard in the boardroom, and thus SkyNet was born - with the dual mission of perfecting itself and eradicating the useless humans that weren't even able to maintain it!
Come on folks, "lost"??! (Score:5, Insightful)
It's not a failure of technology. It's BAD PEOPLE, exploiting BAD SOFTWARE, who aren't being dealt with because of BAD EXECUTION of BAD LAWS. Fix the software, the law, and the enforcement of the law (esp. jurisdiction), and you'll neutralise 95+% of the bad people.
This crap is criminal. Crimes like this are sheltered by discussions about philosophy, politics, jurisdiction, and technology. If people would stop discussing and arguing, and start working together on the problem, it could be eliminated in under 24 months.
But convincing people to work together is impossible, so we might as well get used to it.
It's simple. They don't care. (Score:5, Insightful)
The botnet creators don't give a damn, their objective involves breaking the law (where there is one) in order to hijack someones computer. Someone attempting to destroy the botnet is likely to be atempting to operate within the law, which requires notifying and enlisting the support of the owners of the compromise machines, many of which:
a) are difficult or impossible to contact
b) don't speak your language
c) don't understand anything about the problem
d) don't care
Any single instance of a botnet may have weaknesses that permit its demise without running into potential legal problems (such as a poorly-secured disable command), however botnets as a concept have no real theoretical weakness given the appropriate cryptography and care of construction. Decentralised, failure resistant networks of cooperating nodes is a well researched area and at the level botnets operate, barely constitute a challenge to anyone with the necessary knowledge of protocols, cryptography and programming.
They're here to stay, there is no practical non-desperate legal changes or technical tricks which will kill the concept entirely. Even if the general level of internet security increased 10-fold, there'd still be more than enough vulnerable computers to support botnet operators, and lets face it, that level of security change is not going to happen. Even if the general OS level improves, old and embedded (non-patchable) devices are still plentiful, and there will be more no-patch applicance like systems in the future which will continue to be exploited.
As a systems administrator or someone otherwise concerned with the impact, the rules are simple. Stay patched, Stay vigilant. If a large botnet decides to get you, hope your ISP subscribes to something like tipping-point that will give them a head start on deflecting the inbound traffic. That's about it.
Re:We need a really big lawsuit against Microsoft (Score:5, Insightful)
There are quite a few Web 1.5 sites that critically depend on JS, Flash, Java, etc. Facebook loses a lot if you even have just a partial JS interpreter (and I have seen it happen), and Facebook's coding is arguably not 2.0. Yahoo passwords lose a lot of their security if you disable JS, because then you can't do any sort of key challenges - you have to send the password itself, HTTPS or not. Etc.
You have locked out many universities (MIT is a major one; OU and UL also come to mind) that do not feel like paying a 3rd-party commercial company to certify their identity when they can just pass out root certificates.
Wonderful. No e-mail. No file sharing. No VPNs. No intranets. Web-only is fine for home users on AOL. Home users who do anything else, and corporate users, need other ports.
Your internet-café machines are far more usable than your "normal use" machines at this point.
Re:Maybe I'm being complacent, ... (Score:5, Insightful)
However, maintaining my WinXP machines consists of checking the radio button labelled "Automatic (Recommended)" in the Automatic Updates dialog. It's not difficult, it's not expensive and it's not time-consuming.
A serious question, then: what do you think makes your outcome different from the outcome experienced by the people who are getting their machines owned? I don't know the answer, because I don't run Windows, but I could speculate:
Is it because they intentionally download stuff that infects their machine with spyware? If so, then maybe security is too difficult for them, because they aren't technologically sophisticated enough to realize that this is a bad idea, and maybe MS is helping to make it too difficult for them, by creating a culture where it's normal for every user to run with unlimited privileges.
Another possibility is that they aren't sophisticated to realize that the simple, commonsense measures you've taken (a router/firewall, doing updates) would be more sensible than measures such as buying anti-virus software, or taking their computer to Circuit City to get it fixed when it "gets slow."
I think the real problem is that a lot of people own more computer than they need. All they really need is a word processor, e-mail, and a web browser. They really don't need a general-purpose computer at all, and don't have the skills needed to maintain one. They might be better off with an internet appliance, or a thin client. The problem is that they don't understand how much they don't understand. It's like the people who have to own a Harley Davidson because it's cool, even though it's an utterly impractical motorcycle for what they want to do.
larger battle (Score:5, Insightful)
Not so on the Internet. Due to automation you can play the numbers game, and taking over 100,000 machines is feasable, less risky yet possibly just as profitable as breaking into one bank.
The best non-computer equivalent I can think of is the plague. Welcome to the crowded cities of the middle ages. Even if you, personally, are safe, you're still affected. Think about it.
Re:Maybe I'm being complacent, ... (Score:3, Insightful)
On a corporate system where users don't have admin access botnets aren't much of a problem. But on home machines were every user has admin no technological measures will help as long as they can be lowered. As a power user I want to keep my own machine but for many users a subscription PC would be the best idea. They pay per month, don't have admin, and an admin employed by the company you rent the machine from takes care of security. It would be like extending the corporate world into the home. People don't care about security and they're not going to start anytime soon, they don't understand the connection between those smileys and the spam in their inbox.
It's not surprising people can't fix their own machine, how many people can fix their own car? How many people can even change the oil in their own car? The other option would be for computers to be more like cars. People don't install things in their car, and if they want something installed they take it to the dealer. That would work for most people, pick the software you want with the machine, and take it to authorized service center when you want upgrades. There are people that install things in their own cars, just like there will be people that buy non-locked PCs, but users want easy above all else and if a company could do that by pre-installing everything I think most users would get it.
The botnet problem wont dissapear but it can be significantley reduced so it wont be a problem.
It's going to hurt. (Score:3, Insightful)
It's going to hurt. It's going to be painful. But when you're losing a war, you have to take defensive steps that work.
Legitimate Scanners can accomplish the same things (Score:3, Insightful)
Want to find and fix any infected machines at work? Build a tool for your sysadmins to find them with, do an audit of the machines that need cleaning to find the *other* things wrong with them as well as identifying those that are running potentially critical activities that need to be salvaged carefully instead of by scorched-earth, and let them use whatever tools are appropriate to fix the holes it finds.
Want to find and fix the buggy machines on your cable-modem company's network? Build the tool and sell it to them, or give it to them and teach them how to run it. Don't go looking like Yet Another Zombie-Master who's trying to maintain some pretense of legitimacy - if you're going to be legit, be legit, and if your cable company's too clueless to accept your 1337-k3wl program, then build a different program to block packets from your fellow customers or get yourself an ISP that's clueful enough that they don't need your program.
Want to fix the buggy machines in Korea or the spammer-friendly hosting in China? Go ahead, make their day, but don't tell them *I* said it was a good idea.... And besides, it's really easy to blackhole-route them so you and any machines you control simply don't get packets from there and can't send packets back.
Re:How do you know if you've been rooted? (Score:3, Insightful)
Set a network switch or hub right behind your keyboard so you can see the status lights. If it seems a little busy when you are not doing anything, somebody may be using your computer remotely. I think more computers need the NIC status lights on the front of the monitor, not the back of the PC.
Re:Maybe I'm being complacent, ... (Score:3, Insightful)
No, Linux is more secure because you don't get those smiley packs for it. That and Linux users aren't generally using it for the smileys and assorted mass-consumer crap that is targetted at Windows users.
However, if someone produced a tool that the average linux user wanted to use (say, for example a new fancy bittorrent client) that contained some kind of malware, you'd start to see the exact same problems that the windows users have - that you end up deliberately installing the malware. The security risk here is the human aspect, if the attackers find the right buttons to push for linux users, they'll own you just as easily.
That's just for consumers, admins can be just as bad - I read a web-hosting forum, the number of "my server was hacked and I don't know what to do" posts is appalling, as is the number of questions like "is there any webhost that allows IRC servers?".
Re:It's simple. They don't care. (Score:4, Insightful)
Or to change ISPs. Or to call the support number, resulting in increased costs for the ISP. It still seems to be in the ISP's rational economic self-interest to ignore bots on their own network.
Why? Because there's NO PENALTY! (Score:3, Insightful)
An exercise in futility.
You stop rock-throwing by going after the throwers. If these propeller-heads would stop playing with their toys long enough to spend fifteen minutes talking to the nearest cop they would realize this.
Ignore the silly botnets and invest the resources to find and punish their creators. Criminal behavior declines only when there is substantial risk of substantial punishment. Until that risk exists, you're just wasting everyone's time.
'Nuff said.
Re:Why? Because there's NO PENALTY! (Score:3, Insightful)
Trying to stop botnets by taking-down servers is like trying to stop rock-throwing by confiscating rocks.
Or, install shutters on your Windows so you can ignore the rock throwing and hire a security guard to go shoot the rock throwers or drive them off.
If these propeller-heads would stop playing with their toys long enough to spend fifteen minutes talking to the nearest cop they would realize this.
The cops often can or will do little in these instances. A lot of the time botnets are rented out by the hour overseas.
Criminal behavior declines only when there is substantial risk of substantial punishment.
Actually, studies have shown that risk of punishment is not the most effective way to reduce criminal behavior. Criminals act out of desperation or believe for some reason they won't be caught, or simply think the risk is justified, even when it is often an irrational belief. The risk/reward for being a crack dealer or devoting yourself to pro basketball are both absurd, but there is no shortage of people who try anyway.
Ethical/moral reasons are actually the best way to motivate a decrease in crime. The vast majority of people will not commit crimes if they don't feel justified in so doing. In fact the number on correlation between rates of robberies and another observed factor is wage disparity. If because of circumstances of birth one person is making billions and another going deeper in debt every year despite the fact that the latter works harder and is smarter than the former, well the latter person feels justified in turning to crime.
The problem here is simply globalization has made "neighbors" of people with vast wealth disparity. Americans happen to have been born into relative wealth despite being not as intelligent or as dedicated of workers as the self-taught computer programmer in Czechoslovakia. So he feels no ethical obligation to not build a botnet that exploits them. Threat of criminal punishment is a factor, but a pretty minor one.
Sadly, this does not present any easy solutions for this problem aside from making computers harder to exploit in the first place, but since we don't have a competitive market for desktop OS's, which is the weak link, I don't expect that to be fixed anytime soon. Break up MS into multiple companies and give at least two of the the rights to all the Windows code to date. forbid them from collaborating and enforce it. The botet problem will be eradicated in 3 years on all new computers.