Thoughts on botnets

Péter Höltzl - IT security advisor

"Here is the new botnet that dwarfs even Storm" - wrote the press not so long ago. Let's see what botnets really are!

A "botnet" (en.wikipedia.org/wiki/Botnet) is a network of zombie computers infected with viruses or worms that its controllers use for evil things. There are billions of infected computers, and the size of botnets can reach tens of millions of machines. The "owners" of the network use the devastating power of the botnet to for attacks and other misdoings: usually spamming, cracking e-mail databases, performing distributed denial of service (DDOS) attacks - or to blackmail with the threat of a DDOS. Of course, the zombie machines are not performing attacks all the time, they are trying to remain invisible, even hiding for weeks or months without any sign of activity, and also work on infecting other computers. Notice the similarity with good-willed distributed computation projects that build supercomputer capacity using the idle processing time of millions of contributing computers. The most well-known such project is the SETI@home that is looking for messages from alien civilizations in the radio waves received from space.

Botnets have remarkably evolved during the last few years, which makes defense against them very difficult.

Earlier they used simple ICMP messages (the control protocol of the TCP/IP networks), for example the "echo request" command is used to check that a particular computer is online at the moment) to control the botnets. Later IRC channels and other instant-messaging systems (like MSN and ICQ) were used to control the army of zombies. Today botnets communicate on peer-to-peer basis, which is also used by the well-known file sharing networks. The new technologies make it difficult to block botnets, because they do not have a single command center anymore. Unfortunately, the "services" of botnets are commercially available over the web; and they do have customers. Your mailbox is the evidence for that.

But why is it bad for us?

Spam sent from botnets is annoying for everyone, but attacks that paralyze companies seemingly do not effect us. (Some even rejoice such news.) But contrary to common beliefs, we are all victims. Spam and phishing mail fill our mailboxes every day, and it takes effort, time, tools to make them go away - which essentially means cost. But they fill up the logs on the servers as well, generating false or real incidents in our network intrusion detection systems (nIDS). About 90% of e-mails transmitted through the Internet is spam, meaning that often the companies have to maintain ten times the capacity that would be required in reality.

If a worms infiltrates our infrastructure and starts spamming from our network, we can end up on an e-mailing blacklist (so called RBL list), that can result in serious losses.

But the real danger of botnets is that anyone can become a victim, even if you take every measure to protect your network. In contrast with traditional viruses, botnets do the most harm to whom they are used against, and not the infected computers. A well-executed DDOS attack can block IT systems for hours, even days, causing great losses not only to the affected organization, but indirectly to the entire economy. The global economic system is running at full speed and became extremely volatile, the outage of a few element can have catastrophic results, and its effects can quickly spread to other regions and fields of industry.

In the not too recent past, the first comprehensive attack against a country was carried out, what we can regard as a main test, or even a demonstration of power. January 5, 2008, the IT system of about 3500 Belarusian company collapsed at the same time as the result of an aligned DDOS attack. Authorities were not able to identify the attackers, although the networks of certain Russian Internet Service Providers were found to be involved.

The question is, is there a protection against such attacks?

From a legal perspective, there is not much to do. Botnets are like the Internet: they do not respect country borders. Law and politics do.

There is nothing law can do about a botnet controlled from a remote country, and even it could, it would be only some after-attack remedy. The real solution would be to develop software with higher quality standards, but this is not in the interest of most software developing companies, because the market demand for that is low (high-quality software here means properly designed and tested applications, but these take time and expenses to develop).
Just like the countries around the world are taking legal steps against the monopoly of certain software developers, they could demand more secure and better tested products. A good example for such thing is making ABS (Anti-lock Braking Systems) mandatory in cars sold in the EU.

We can use preventive methods and strict firewall policies that delay the catastrophe, but there will always be covert channels, and you just have to use some protocols when running a company. And only pliers and pulling the power plug from the wall guarantees protection for hundred percent.

An interesting idea is to create "good" worms that use the same vulnerabilities that botnets do, infects the same computers, and removes the viruses and worms. Obviously, this could not completely eliminate botnets, but shrinking the size of the botnet below a critical level would be sufficient. While technically sound, this approach raises many legal and ethical issues. (And I would be interested in how long would it take for a "bad botnet that kills the good botnet" to appear.)