ISPs accused of ignoring botnet invasion
Internet Service Providers are in the perfect position to kill vast armies of compromised computers -- or bots -- that are being used by cyber-criminals to launch the majority of spam and phishing attacks, according security specialists at the AusCERT 2006 conference.
Botnets are vast groups of Windows-based PCs that have been infected with a Trojan or virus that allows the computer to be illicitly controlled from a remote location. Bot armies comprising of between 10,000 and 100,000 bots are openly advertised for hire on newsgroups located in the darker corners of the Internet.
The majority of these bots are home computers that are connected to the Internet over a broadband link such as ADSL or Cable, which means all the malicious traffic initially passes through the network of each individual bots' ISP.
Mark Sunner, CTO of MessageLabs, said that ISPs have been hiding from this problem and have a "duty of care" to protect their customers in a similar way to the water utilities.
"In the same way as you wouldn't expect to boil your own water before you could use it, in an Internet sense that is what everyone is left to do," Sunner told ZDNet Australia in an interview. "You could say ISPs are pumping out the equivalent of raw sewage and saying 'you sort it out, it is your problem'."
Mikko Hyppönen, chief research officer of F-Secure Corporation, who flew to Queensland from Helsinki especially for the conference, said that botnets are "probably the single largest problem we have in the computer security area" and lashed out at ISPs for "not doing much at all".
"Even when ISPs know they have bots in their network -- and any ISP has lots of bots -- most of them simply ignore it. I think that is the key issue and this issue is not going to go away," Hyppönen told ZDNet Australia.
However, Hyppönen said he understands why ISPs have generally taken a hands-off approach and tried to explain the problem.
"If somebody tells [an ISP] that this IP address -- which for example belongs to some grandmother in Queensland -- is a bot, what do they do? Most ISPs simply disconnect the IP address, which means the grandmother can't go online.
"She will spend the next two days trying to figure out the problem herself and then call support. This is what happens:
Grandmother: Hello -- I can't go online.
ISP helpdesk: That's because you have been disconnected
Grandmother: Why have I been disconnected?
ISP helpdesk: Because you have a bot
Grandmother: What is a bot?
ISP helpdesk: Long discussion happens
Grandmother: Ok too bad, so what do I do about it?
ISP helpdesk: You have to apply patches to your computer.
Grandmother: How do I do that?
ISP helpdesk: Well... err. You go to your friend's computer, download the patches to a CD ROM...
"It gets really long and tedious and very expensive. So it is probably cheaper for ISPs to take the heat, keep the bots there and ignore the problem than have the support nightmare of helping the grandmothers of the world to patch their disconnected Windows boxes and install antivirus and firewalls," said Hyppönen.
According to MessageLabs' Sunner, ISPs do not believe that their customers will be willing to pay for the additional costs of adding filtering services and are not willing to take the risk because consumers are notoriously disloyal when it comes to sticking with an ISP.
"The problem is that from [the ISPs] perspective is that to have filtering of any kind costs something. They think the customers don't want to pay for it but the actual reality is if users did think they could have some form of protection they probably would pay for it," said Sunner.
Both MessageLabs and F-Secure have devised products and services that are specifically designed to help ISPs fight the botnet problem but Hyppönen warns that botnet creators are already developing stealthier botnets, which communicate using encrypted traffic and are much more difficult to recognise.
"We will see better hidden bots because when the bad boys realise that they can't build them as easily as they could, they will change ... we found last month this one botnet that was being controlled using encrypted peer to peer traffic. That is going to be much harder to detect.
"It is going to be a cat and mouse game," added Hyppönen.
Munir Kotadia travelled to the Gold Coast as a guest of AusCERT.