Editor's Note: Our thanks to Leslie Harris, President and CEO, Center for Democracy & Technology, for writing this guest blog post about botnets.
Botnets are armies of computers that criminals have infected with malicious software so they can control them to remotely to steal information, launch denial-of-service attacks, spread malware and host illegal content. Botnets are one of the most serious threats to Internet security today. They have compromised untold millions of computers – and even DSL routers – worldwide. The Conficker worm alone has infected up to 15 million consumer, business and government computers into a massive botnet in a little over two years.
Botnet armies are built on the computers of regular Internet users who have no idea that their PCs have been compromised and are being used for malicious purposes. In fact, botnets depend on users’ ignorance in order to stay operational. At the same time, the spam, phishing, and denial-of-service attacks that botnets perpetrate may have little or no impact on the compromised users or their ISPs, while wreaking havoc on faraway users connected to entirely different networks.
Botnets take a huge toll on businesses and individuals alike. Botnets were responsible for some 88 percent of spam emails in 2009, according to a MessageLabs report, with more than 23 percent of all global spam originating from a single botnet known as "Grum." Bots were also behind a sizable portion of the 11 million identity thefts in 2009, at a global business cost of more than $220 billion. Less than two weeks ago, security vendors discovered that the Kneber bot had infected at least 75,000 computers at 2,500 companies and government agencies worldwide, collecting login credentials for financial services websites.
The problem is getting worse as online criminal gangs use increasingly sophisticated methods to shield their botnets from detection and disruption. Many botnets update themselves frequently to avoid detection by security software. Others hide malware sites by continually switching compromised proxy hosts. Some recent botnets can even detect attempts to study them online, and then react by directing denial-of-service attacks at the observer.
It is not always clear who has the responsibility and the incentive to clean up botnets so too often they operate unimpeded. In recent months, Comcast has taken on some of that responsibility through its Constant Guard program by proactively alerting and helping its subscribers when their computers have been turned into spam-spewing zombies.
Constant Guard helps users defect from the botnet army
Comcast’s effort to help its customers fight off botnets has several components. The ISP provides the Norton Security Suite to its high-speed Internet customers for free, as well as a toolbar that includes spyware detection and anti-phishing software. Comcast is also testing a program to notify individual customers when it thinks their computers have been compromised. These "service notices," offering instructions on how to diagnose and remove the bot, appear as overlay windows in customers’ browsers.
Proactive notification is a helpful step on the part of Comcast to address what is often the weakest link in online security: users. Most ISPs monitor their networks for spam and viruses, and some offer their subscribers security software for an additional monthly fee. However, as far as I know, Comcast is the first major U.S. Internet service provider to actively reach out to individual users plagued with malware as a free, routine part of its subscriber security services. The vast majority of consumers do not even know what bots are; let alone how to fix their computers if they are saddled with one. With initiatives like Constant Guard, that could begin to change.
Comcast is likely to face some challenges in implementing Constant Guard, however. Fortunately, the company has been transparent about its bot remediation and notification systems, publishing descriptions of both in open standards forums. Comcast should continue to share its experiences publicly as it learns more and modifies its procedures.
One big challenge is bot detection. Detecting bot infections with high accuracy (that is, without falsely identifying infections) is not a simple task, and the detection strategy will likely need to evolve over time. Comcast has initially taken a careful approach based on observing traffic patterns (but not the traffic itself) between users and known bot hosts.
Another challenge lies in potential user confusion when they receive service notices as they go about their normal browsing. Some users may quickly close the notices and go on their way. For those who take a look at the notice, Comcast will have to convince them that the notice itself is not trying to trick them into downloading malware. Purveyors of malware will inevitably copy the service notice and use fraudulent notices to fool users into joining the botnet ranks. Comcast is trying to overcome these issues by providing a "How do I know this notice is from Comcast?" link with the notice. Still, users may understandably be wary of clicking links that point out security vulnerabilities and offer assistance. Comcast is also sending the service notice to the primary account holder’s email address, which is helpful. Comcast could consider taking the additional step of including a service notice in the account holder’s monthly statement, although it would obviously be preferable to get bot issues resolved more quickly than on a month-long timeline.
CDT is actively involved in looking at the question of best practices for ISPs to follow in identifying botnets on their networks and communicating with their customers about compromised computers. CDT’s John Morris is a member of the Federal Communications Commission’s Communications Security, Reliability and Interoperability Council (CSRIC), and is Co-Chair of CSRIC’s ISP Network Protection Practices Working Group working on these issues. A number of leading ISPs, including Comcast, are participating in the working group.
Reducing the threat of botnets requires action from many parties, including ISPs, law enforcement, and end users. While service providers and law enforcement should continue to go after cybercriminal gangs and their nefarious domains, other service providers should follow Comcast’s lead and reach out to end users, not just by making educational resources available, but through direct contact to infected subscribers for free. If users heed such direct warnings and take the time to clean out their systems, this dual strategy – attacking the heads and the limbs of the zombie masters – will make significant progress in ridding the Internet of these pests.