Limelight kills botnets better than cops do
Botnet operators have become public enemy number-one as consumers, businesses and governments fall foul to identity theft, DDoS attacks and spam. Yet no one appears to be able to stop the spread of bots -- except maybe the media.
After a year in the limelight, it appears the operators behind the Storm worm botnet have shut-up shop or are laying low. Well, for now at least.
At the height of its rein, Storm was the top spammer in the world, responsible for around 21 percent of all spam. As 70 percent of all spam is generated by botnets, this is pretty good reach when you consider that as many as five million machines were under its control. But they were the good old days for Storm. Now, according to Bradley Anstis of Marshal security, Storm accounts for just two percent of the spam the company captures.
So what has caused this? Why has Storm become a shell of its old self? Was it AV vendors improving their software to stop the spread of malware used to harvest bots? Was it the police cracking down on botnet operators that has caused Storm's owners to duck for cover? Did the ISPs suddenly decide to protect us with clean pipes? Or was it you, reader, creating a groundswell of interest in the botnet operator's activities that caused them to shrivel?
Normally users get the blame for the spread of botnets. You're either unpatched or not using the adequate security measures to protect your system, a security vendor will say. Bruce Schneier, on the other hand blames security vendors for over-promising and under-delivering.
Others blame ISPs for not providing clean pipes and allowing botnets to flourish unfettered. ISPs however seem only interested in protecting themselves through such initiatives as Arbor Network's Fingerprint Sharing Alliance. These help mitigate against the risk of a denial of service attack, such as that inflicted on NAB in 2006, but this only frustrates one aspect of a botnet operation -- DDoS -- leaving the rest of the world with spam and more malware.
Telcos, like ISPs, won't take responsibility for bots, but they will sell discounted antivirus software to customers. And your bank will sell you discounted AV software even if you're not a customer!
But while these initiatives may be worthy in their own right, they are one-dimensional responses in contrast to the effect of media coverage. During various conversations with security experts and analysts, the one thing I hear about botnet operators is that they don't want to be seen -- enter the media with spotlight.
A good analogy of a botnet operator's relationship to the world was given to me by IBRS security analyst, James Turner. He said: "Snipers hate the spotlight; they only work if you can't see them and you don't know where they are. The minute their position is revealed, they become ineffective."
Of course, this doesn't mean that a botnet will stay down forever. Its operators may go into hiding but recent Valentine's Day spam activity, which the FBI suspects is the work of the Storm gang, shows that a botnet is always ready to rear its head again. And with new botnets such as Mega-D on the rise there's no time to rest.
The battle continues and I hope my coverage of this goes some way to forcing this scourge of the Web off the face of the planet.