April 24, 2014

avatar

Why So Little Attention to Botnets?

Our collective battle against botnets is going badly, according to Ryan Naraine’s recent article in eWeek.

What’s that? You didn’t know we were battling botnets? You’re not alone. Though botnets are a major cause of Internet insecurity problems, few netizens know what they are or how they work.

In this context, a “bot” is a malicious software agent that gets installed on an unsuspecting user’s computer. Bots get onto computers by exploiting security flaws. Once there, they set up camp and wait unobtrusively for instructions. Bots work in groups, called “botnets”, in which many thousands of bots (hundreds of thousands, sometimes) all over the Net work together at the instruction of a remote badguy.

Botnets can send spam or carry out coordinated security attacks on targets elsewhere on the Net. Attacks launched by botnets are very hard to stop because they come from so many places all at once, and tracking down the sources just leads to innocent users with infected computers. There is an active marketplace in which botnets are sold and leased.

Estimates vary, but a reasonable guess is that between one and five percent of the computers on the net are infected with bots. Some computers have more than one bot, although bots nowadays often try to kill each other.

Bots exploit the classic economic externality of network security. A well-designed bot on your computer tries to stay out of your way, only attacking other people. An infection on your computer causes harm to others but not to you, so you have little incentive to prevent the harm.

Nowadays, bots often fight over territory, killing other bots that have infected the same machine, or beefing up the machine’s defenses against new bot infections. For example, Brian Krebs reports that some bots install legitimate antivirus programs to defend their turf.

If bots fight each other, a rationally selfish computer owner might want his computer to be infected by bots that direct their attacks outward. Such bots would help to defend the computer against other bots that might harm the computer owner, e.g. by spying on him. They’d be the online equivalent of the pilot fish that swim into sharks’ mouths with impunity, to clean the sharks’ teeth.

Botnets live today on millions of ordinary users’ computers, leading to nasty attacks. Some experts think we’re losing the war against botnets. Yet there isn’t much public discussion of the problem among nonexperts. Why not?

Comments

  1. James Grimmelmann says:

    Out of sight, out of mind. I don’t think most people realize the link between bots and all of the other more visible problems of Internet security.

  2. Matt Otto says:

    Most people do not know that their computer can attack others. Also if it does not hurt them or make its presence known then they have no idea their even infected. Not many are educated about bots and their perils. The only time they know they are infected is when popups and such slow their computer down and make IE unusable. Then they take precautions to prevent that from happening again. But I doubt they ever understand the true cause or how it slowed down in the first place.

  3. peter honeyman says:

    is it just me, or does this article give anyone else a creepy “terminator” chill? (the rise of the botnets leading to the downfall of humanity …)

  4. Hal says:

    I don’t think any computer owner in the world wants his machine to be infected by bots, along the lines suggested here that a “rationally selfish” owner would believe. This line of argument is IMO a red herring and does not shed light on the issue. If anyone here hopes their machine is infected by bots for this reason, I am eager to hear about it.

  5. Neo says:

    The “bot” I let my computer harbor to defend it against malware is called AVG personal edition. It’s free, just so you know.

    Bots can no doubt get on in two ways: exploits, and hitchhiking virus-style (or spyware-style) on desirable software the user downloads and installs.

    There are two clear points of focus for the counterattack. Antivirus/antispyware/antimalware tools should scan for and remove bots. Hopefully, they by-and-large already try.

    Second is ISPs. Botnet activity is probably detectable, particularly if it takes the form of spam. ISPs can notify users of suspicious activity patterns and suggest they scan their systems. (Unless there’s clear evidence the activity is in fact malicious, they should take no other action; legitimate activity may look “suspicious”, and throttling/cutting off first and asking questions later is bound to harm many uninfected, legitimate customers, with a bias toward harming geeks and power users (more likely to use the net in new or rare but legitimate ways). (The bogeyman scenario here is an ISP using botnet activity detection as an excuse for a defacto blanket ban on p2p or other activity they consider “undesirable” for political, RIAA kickback, or other reasons — an end run around net neutrality, in other words.))

    ISPs (and all third-party email providers) can do an additional thing: blanket block e-mail that comes directly from dial-up or broadband IP ranges. Legitimate e-mail pretty much invariably goes through an ISP’s mail exchange server, rather than coming directly from the sending user’s computer. On the other hand, botnet-originated spam (to my understanding, now the bulk of spam) does come directly. So ignore incoming SMTP from ISP user-machine address ranges and you may drastically reduce incoming spam, and reduce the utility of botnets for spamming purposes because the spam blocking is particularly effective against botnet spam. This reduces the attractiveness of botnets to spammers, and thus demand, and thus the market valuation of botnet access, hitting them directly in the pocketbook. Besides hitting the spammers themselves, and reducing your own incoming spam.

    I’m given to understand there are already lists of such IP ranges maintained for precisely this purpose, but they seem underused, or used only to flag messages with an edited subject, such as by prepending “[bulk] “.

  6. Jim Lippard says:

    I think 5% is probably closer to accurate than 1%, based on what I’ve seen downstream of Global Crossing’s network. I gave a talk on the subject with some of our stats last December for Arizona State University’s Computer Security Awareness Week. I think there’s streaming audio and video of my talk on the site somewhere…

  7. cisco kidd says:

    Based on what I have read, Where do I get mine ?

  8. Geoff Davis says:

    Hal,

    Though the argument may seem like a red herring, Joe User will not notice that a bot is running on their computer unless it affects him directly. He probably isn’t going to take the time to look around on his computer for evidence that one is running. Remember that most users want to treat their computers like appliances – if it’s not “acting funny”, they are going to assume everything is fine.

    Neo,

    Many ISPs do block their customers from connecting to port 25 on mail servers outside of their network. Time Warner Cable and Earthlink in San Diego both do. This only slows down the dumber bots. However, what’s to stop the bot from being smart enough to open up the configuration files for your email client and grab the settings for your outbound mail server, and impersonate you? This would be entirely trivial to do as a programmer, and I would not be surprised if this isn’t actually already being done for some of the more popular mail clients (Outlook, Outlook Express, Thunderbird, Eudora).

    Once the bot is on your system, it can look at and do whatever it wants. The only solution is to keep it off your system in the first place.

  9. Neo says:

    Bots sending through the proper outbound mail server can’t do so very rapid-fire without instantly raising alarms at the ISP (and probably getting the user kicked off their provider).

  10. enigma_foundry says:

    Well two reasons:

    First they don’t affect most users computers directly, as the attacks used by bot-nets are usually aimed at a few businesses that depend on the net for their connexion to their customers, right?

    Second, the bot-nets won’t help steal the election, since the Diebold machines aren’t networked.

  11. Dan Simon says:

    It’s important to distinguish between two separate problems, which are often lumped together under the label, “botnets”: (1) large, distributed networks of computers coordinated by a central controller, and (2) computers surreptitiously controlled by someone other than their owners/administrators.

    The first problem is only a problem because of the Internet’s underlying lack of accountability, which makes possible the use of botnets to send spam, launch DDoS attacks, and so on. It is also entirely independent of the existence of the second problem: one can imagine a future world where unauthorized use of computers has been rendered impossible by bulletproof security mechanisms, and yet computer owners/administrators nevertheless willingly allow botnets to operate (presumably in VMs or similarly isolated containers), using up spare CPU cycles and bandwidth, in return for some minor benefit to the owner/administrator (use your imagination….).

    This problem doesn’t have a very high public profile because its manifestations so far have not affected large numbers of people. (Spam affects everyone who uses email, of course, but it doesn’t actually depend on botnets for its existence–botnets only make it slightly cheaper and easier to send.) The main victims of this problem are server operators, who must pay through the nose for expensive extra hardware and bandwidth to withstand DDoS and spam floods. They care about the problem a great deal, but they’re also happy to stick to communing with the experts on solutions, rather than raising the problem’s public profile.

    The second problem is a result of weaknesses in end host security, and manifests itself (so far) primarily in the participation of compromised computers in botnets. This problem is also entirely independent of the first problem: one could imagine a future world in which computers are routinely compromised and exploited–say, by being rifled for valuable data–without ever being corralled into coordinated activities of any kind.

    This problem currently has a fairly low public profile because most users simply don’t have enough of value on their computers to make them worry about possible compromises. End host compromise is today chiefly the concern of corporate system administrators worried about industrial espionage or theft of customer information.

    However, I expect all that to change very soon–in particular, as soon as somebody figures out how to scalably monetize online access to large numbers of bank accounts. Currently, draining a bank account using an online banking password harvested from a compromised computer is very hard to do without leaving a clear incriminating trail. But I fully expect that someone will figure out a way in the not-too-distant future. And at that moment, end host compromise will suddenly become a very high-profile problem indeed.

  12. paul says:

    Is it perhaps the case that people don’t talk much about botnets because there’s nothing useful to say? As long as there are zero-day exploits, as long as computers are shipped to naive users in an exploitable state, and as long as the mean time to infection for a net-connected machine is comparable to the mean time to download security patches, there will be botnets.

    I’m leery of the notion that bots will ever be reliably detected by generalized behavioral screens. Once you’ve gotten a critical mass of bots, the amount of malicious behavior that has to emanate from any single machine is arbitrarily small — and in any case, a surveillance system’s understanding of “normal” activity in sending mail or pings or http requests will already have been distorted by bot activity. You’d have to have a pretty good idea of what each user does with a computer, which would mean massive privacy issues. I’d love to be proven wrong on this.

    But just as with credit-card fraud and ATM fraud and identity theft, the question here seems to be: where can we put the liability where it will do the most good?

  13. Larry says:

    Bots are not necessarily malicious. The term bots has been used for years by the AI community to refer to software robots. Is this another instance of “bad” hijacking a word? …hacker v cracker? ;-)

  14. QrazyQat says:

    I think that nonexperts lump bots in with viruses and worms and don’t know about the distinctions. And from a practical standpoint is there really any difference for nonexperts?

  15. Bart says:

    Maybe it’s time we really started going thin-client. Don’t have your computer be able to actually do anything other than work a web browser. Your data files are on Google’s servers, and you use Writely and their other tools to work on documents. When you want to send someone an “email” you just post something to their blog or to your family wiki.

    Email is dead. Long live the king.

  16. TheBajaGuy says:

    The problem I have seen is that large volume e-mail spam scanner providers WON’T implement the hard lines needed to stop the senders in the ISP Pool addresses. I work for a company that does scanning along with other computer and network services, and the issue is the one blocked e-mail that shouldn’t have been blocked that the client complains about. The nail in the elephant’s foot, if you recall that story.

    I’ll toss up some of my thoughts, but there are some things that need to change in the RFC’s to fix things for e-mail.

    I realize that dynamic pool addresses make reverse lookup records crazy to rely on, but I think they are the solution to 99% of the issue. I have always felt that if you are a domain owner, and you are >sendingreal unspoken problem

  17. Neo says:

    Bart, you sound like a proponent of all that evil trusted computing stuff. No more freedom to tinker. No more personal ownership of data and the means of production. All of a sudden, all computer users sold into serfdom and forced to rent functionality and storage space (and, no doubt, pay through the nose).

    Yuck. If you want that kind of constrained, controlled system, I suggest moving. You’ll probably love the way they do things in the DPRK.

  18. Ken Simpson says:

    I work for an email security software vendor that specializes in defending against the high concurrency loads created by botnet attacks. Botnets are _the_ problem facing the global email system these days.

    All of our customers have noticed (read the paper here: http://www.onlamp.com/pub/a/onlamp/2006/10/12/asynchronous_events.html) an enormous spike in spam volume in the last two months — the cause of which can be debated endlessly.

    The botnet issue requires a serious amount of work on the part of ISPs to resolve. Blocking outbound ports on cable and DSL networks is a very challenging proposition for a large service provider, since it involves setting up complex customer support systems to deal with all the “exceptions.” I think that service providers inevitably will have to deal with the fact that they are the source of most abuse — lest they be blackholed by large email receivers at the Autonomous System level.

    It’s just a question of how long it will take service providers to do this. I spoke with Time Warner’s anti spam manager recently and he said it’s in the pipe, but will take a “long time.”

    Until then, cross your fingers that the botnets don’t become even more sophisticated.

  19. Ku says:

    I have two web-based email accounts, one of which has been around for a very long time, and one of which is fairly new. The old account gets loads of spam, and the provider handles it very nicely. When I moved a year ago, I found out I was not able to get DSL due to distance limitations.

    Being stuck with I purchased a low-end UTM device to put between my network and their network. In a previous life, I did some work internally for a predecessor and found out just how much swiss cheese they used for their security. I still run anti-virus, firewall, anti-malware software on all the machines on my internal network. I like to keep things as clean as possible.

    There are still too many uninformed people out there …

  20. AutoEZL says:

    Splendid work that you did with this site!
    See Ya

  21. Sinae says:

    Is there a way to use botnets to communicate a message too millions of people to wake the fuck up??

    Even if it’s this or that, we will have to do something and to do something a lot of person will have to go in one good direction!!

    Maybe we could use this for good hihihi not that i will do it but a dormant bot would be nice for this.

    Still it’s scary, a dormant bot could propagate himself for like 10-20 years around the globe and in one moment attack special place or just kill the computer of the owner at that moment or after the attack

  22. Dennis says:

    Great Post.. Offers some interesting points.. However We don’t think all bots are bad but just to be safe we run spybot and antivirus

  23. Spyware Removal Man says:

    Bots are starting to become more and more common. This is one reason for having a good firewall setup to stop programs from accesing the net even if you beome infected. Most people who are infected don’t even know untill thier ISP kicks them of the nexxt for spamming.