Is the Botnet Battle Already Lost?

An anonymous reader writes "Researchers are finding it practically futile to keep up with evolving botnet attacks. 'We've known about [the threat from] botnets for a few years, but we're only now figuring out how they really work, and I'm afraid we might be two to three years behind in terms of response mechanisms,' said Marcus Sachs, a deputy director in the Computer Science Laboratory of SRI International, in Arlington, Va. There is a general feeling of hopelessness as botnet hunters discover that, after years of mitigating command and controls, the effort has largely gone to waste. 'We've managed to hold back the tide, but, for the most part, it's been useless,' said Gadi Evron, a security evangelist at Beyond Security, in Netanya, Israel, and a leader in the botnet-hunting community. 'When we disable a command-and-control server, the botnet is immediately re-created on another host. We're not hurting them anymore.' There is an interesting image gallery of a botnet in action as discovered by security researcher Sunbelt Software."

If you're gonna go to all that trouble . . .

[thesoffish]

Why not just physically unplug your computer from the network?

A modest proposal

[caitsith01]

I am no expert in this area, but a thought occurs.

Why isn't it possible to simply identify the exploit being used to spread a particular botnet, and write software that uses the same exploit to travel throughout the net before activating (perhaps at some specific time) to both wipe out the botnet software and seal off the exploit?

It seems that as soon as you have the original botnet software, re-engineering it for this purpose would be relatively trivial. Plus there would be the immense satisfaction of fighting fire with fire. The software could even remove itself as its final act, saying "I know now why you cry, but it is something I can never do" (although someone else might have to press the button to lower it into molten metal - "I cannot self-terminate").

The only reason I can think that this wouldn't work is that the 'antidote' software would be breaching computer security all over the place - basically doing the precise thing we are trying to stop. However, surely some sort of 'good samaritan' clause could be worked into the law - or the government could adopt responsibility for this process, or at least for pushing the button that sets each counter-botnet loose in the wild.

Of course this may already be the approach taken - I don't know much about the field, as I say.

Come on folks, "lost"??!

[swordgeek]

The so-called botnet battle is no different than the war on spam or the anti-virus front, or any of the others.

It's not a failure of technology. It's BAD PEOPLE, exploiting BAD SOFTWARE, who aren't being dealt with because of BAD EXECUTION of BAD LAWS. Fix the software, the law, and the enforcement of the law (esp. jurisdiction), and you'll neutralise 95+% of the bad people.

This crap is criminal. Crimes like this are sheltered by discussions about philosophy, politics, jurisdiction, and technology. If people would stop discussing and arguing, and start working together on the problem, it could be eliminated in under 24 months.

But convincing people to work together is impossible, so we might as well get used to it.

It's simple. They don't care.

[PhiRatE]

The simple problem with the fight against botnets is that it's asymmetric, and not in our favor. The bots are in a place that is particularly difficult for someone attempting to dismantle the network to reach, the property of someone else. It's not the technical problems that make a botnet so difficult to dismantle, but the legal ones.

The botnet creators don't give a damn, their objective involves breaking the law (where there is one) in order to hijack someones computer. Someone attempting to destroy the botnet is likely to be atempting to operate within the law, which requires notifying and enlisting the support of the owners of the compromise machines, many of which:

a) are difficult or impossible to contact
b) don't speak your language
c) don't understand anything about the problem
d) don't care

Any single instance of a botnet may have weaknesses that permit its demise without running into potential legal problems (such as a poorly-secured disable command), however botnets as a concept have no real theoretical weakness given the appropriate cryptography and care of construction. Decentralised, failure resistant networks of cooperating nodes is a well researched area and at the level botnets operate, barely constitute a challenge to anyone with the necessary knowledge of protocols, cryptography and programming.

They're here to stay, there is no practical non-desperate legal changes or technical tricks which will kill the concept entirely. Even if the general level of internet security increased 10-fold, there'd still be more than enough vulnerable computers to support botnet operators, and lets face it, that level of security change is not going to happen. Even if the general OS level improves, old and embedded (non-patchable) devices are still plentiful, and there will be more no-patch applicance like systems in the future which will continue to be exploited.

As a systems administrator or someone otherwise concerned with the impact, the rules are simple. Stay patched, Stay vigilant. If a large botnet decides to get you, hope your ISP subscribes to something like tipping-point that will give them a head start on deflecting the inbound traffic. That's about it.

Re:We need a really big lawsuit against Microsoft

[Geoffreyerffoeg]

Attachments are converted to .odf or .png, as appropriate.

There are many applications which require macros to be present in Word documents. If you translate the macros to ODF's format (does it even support macros?), you've gained nothing. If you don't, you've caused confusion for many customers. And as far as converting images, how do you ensure the buffer overflow (or worse, the WMF arbitrary-code loophole in the specification - this wasn't technically a bug in the parser) isn't present on the firewall itself? I would think a rooted client machine is much better than a rooted firewall.

No more "Web 2.0"; those sites just stop working.

There are quite a few Web 1.5 sites that critically depend on JS, Flash, Java, etc. Facebook loses a lot if you even have just a partial JS interpreter (and I have seen it happen), and Facebook's coding is arguably not 2.0. Yahoo passwords lose a lot of their security if you disable JS, because then you can't do any sort of key challenges - you have to send the password itself, HTTPS or not. Etc.

Web browsing to secure sites via SSL is only permitted if the site has a SSL cert that is a high-grade "we really know who this is" cert.

You have locked out many universities (MIT is a major one; OU and UL also come to mind) that do not feel like paying a 3rd-party commercial company to certify their identity when they can just pass out root certificates.

TCP port 80 is all you get outgoing. Incoming, forget it. UDP, forget it. If you want to message, use the phone.

Wonderful. No e-mail. No file sharing. No VPNs. No intranets. Web-only is fine for home users on AOL. Home users who do anything else, and corporate users, need other ports.

Your internet-café machines are far more usable than your "normal use" machines at this point.

Re:Maybe I'm being complacent, ...

[bcrowell]

However, maintaining my WinXP machines consists of checking the radio button labelled "Automatic (Recommended)" in the Automatic Updates dialog. It's not difficult, it's not expensive and it's not time-consuming.
A serious question, then: what do you think makes your outcome different from the outcome experienced by the people who are getting their machines owned? I don't know the answer, because I don't run Windows, but I could speculate:

Is it because they intentionally download stuff that infects their machine with spyware? If so, then maybe security is too difficult for them, because they aren't technologically sophisticated enough to realize that this is a bad idea, and maybe MS is helping to make it too difficult for them, by creating a culture where it's normal for every user to run with unlimited privileges.

Another possibility is that they aren't sophisticated to realize that the simple, commonsense measures you've taken (a router/firewall, doing updates) would be more sensible than measures such as buying anti-virus software, or taking their computer to Circuit City to get it fixed when it "gets slow."

I think the real problem is that a lot of people own more computer than they need. All they really need is a word processor, e-mail, and a web browser. They really don't need a general-purpose computer at all, and don't have the skills needed to maintain one. They might be better off with an internet appliance, or a thin client. The problem is that they don't understand how much they don't understand. It's like the people who have to own a Harley Davidson because it's cool, even though it's an utterly impractical motorcycle for what they want to do.

larger battle

[Tom]

This isn't a battle for/against botnets. They're just the symptoms. What this really means is that the battle to have secure home PCs is lost. I won't even get into the Windos vs. Real OS discussion. The point is deeper still: Our homes are safe from burglars because those with the great skills and expert tools don't break into homes, they break into banks.
Not so on the Internet. Due to automation you can play the numbers game, and taking over 100,000 machines is feasable, less risky yet possibly just as profitable as breaking into one bank.

The best non-computer equivalent I can think of is the plague. Welcome to the crowded cities of the middle ages. Even if you, personally, are safe, you're still affected. Think about it.