How can we address the growing botnet issue?
The high-profile takedown of the "DNS Changer" botnet, which had control of more than four million machines and generated $14 million of “income,” shows what many in the security industry have known for some time: The botnet problem continues to grow and more coordinated efforts are needed to solve the problem.
Recent research by Kindsight Security Labs showed that 12 percent of home networks are infected on a typical day and that four of the top seven infections in early November 2011 were botnets, including Nineball/Gumblar (#1) and Alureon/TDL/TDSS (#3), which are both malware associated with the DNS Changer botnet.
As more and more computers and devices become infected, consumers often don’t realize that they have been hacked and unknowingly have become part of a botnet. As a result, the U.S. Department of Commerce and U.S. Department of Homeland Security requested information in late September on possible approaches to creating a voluntary industry code of conduct to address the detection, notification and mitigation of botnets.
While there are multiple security techniques to identity and mitigate botnet infections, one of the most effective techniques is to use signature-based intrusion detection technology that is embedded in the service provider’s network. With the correct signature set, you can detect real-world malware infections with far greater accuracy and provide a valuable service to the consumer.
The reason that signature-based, network intrusion detection techniques are so effective is that the packaging of malware changes frequently, which makes it difficult for client-based security software to keep up, but the malware command and control (C&C) protocols are often built on the same framework.
For example, a network signature that was designed in 2010 to catch the NineBall and Gumblar infections is still effective against Alureon and DNSChanger, more than a year later. The malware has changed and the names have changed, but the network signature remains the same.
Service providers also are ideally positioned for an effective notification and remediation process. As consumers have an ongoing relationship with their service providers, they are more likely to view alerts from their service provider as credible threats and take the recommended action to remove the malware.
Consumers could be sent alerts using email, SMS, mobile apps or interstitials (i.e. warnings added to the next Web page(s) visited) and then directed to a self-service Website with instructions and tools that will help the user remove the botnet infection from his or her system, including:
- A temporary, online scanner that can be downloaded to remove the threat;
- A system-check tool that makes sure the operating system, plug-ins and applications are up-to-date;
- Updated anti-virus software.
However, this infrastructure costs money, so it’s clear that for service providers to move forward they must be free to develop innovative business plans to promote adoption of enhanced Internet security, including the flexibility to either charge for the service, sell additional services or use novel funding approaches, where the service is monetized in other ways.
In the end, to secure a system you need to deploy multiple layers of protection. Adding a network-based component will help to ensure more users know they have been infected and be able to take the steps needed to fix the problem. Any efforts by government or private industry to make this happen should be encouraged, as the fight against botnets continue.
Brendan Ziolo is a vice president at Kindsight, a network-based security and analytics provider. He can be reached at: