I’ve grown fascinated over the years with various efforts by Internet service providers to crack down on the menace from botnets, large groupings of hacked PCs that computer criminals remotely control for a variety of purposes, from spamming to hosting malicious software and attacking others online. Indeed, the botnet problem has become such a global menace that entire countries are now developing anti-botnet programs in collaboration with domestic ISPs.
One of the more unique and long-running examples of this is Japan’s “Cyber Clean Center,” (referred to hereafter as CCC) a little-known effort by the Japanese Computer Emergency Response Team Coordination Center (JP-CERT) and a collection of 76 Japanese ISPs covering 90 percent of the nation’s Internet users.
Participating ISPs that have customers with botted PCs may send those users an e-mail — and in some cases a letter via postal mail — instructing them to visit the CCC’s Web site, and download and run a cleanup tool developed by the JP-CERT in coordination with Trend Micro, the dominant anti-virus and computer security firm in Japan.
Relatively few of the thousands of U.S.-based ISPs have such programs in place, or if they do then not many have been willing to discuss them publicly. Some notable exceptions are Cox, Comcast (which is rolling out a trial bot infection notification system), and Qwest (if I missed any other biggies, readers please set me straight).
It’s unfortunate that such programs aren’t more widely emulated, because a majority of the world’s bot problem begins and ends here in the United States. According to a recent report (.pdf) by McAfee, the United States is home to the second largest pool of botted PCs — 2nd only to China — and is the world’s biggest exporter of junk e-mail.
Obviously, as with most customer notification schemes, the primary challenge is messaging the user in a way that is not easily spoofed by criminals to convince people to download “disinfection tools” that actually infect their systems.But at any rate, I thought the Japanese example was interesting as a regional approach, and so over the past several months have engaged the CCC folks in a Q&A via e-mail.
Below are some of the questions I asked and answers I received about the CCC program.
BK: About how many customers has the CCC reached over the years?
CCC: Between Nov. 2009 and its inception in Dec. 2006, Japan’s CCC has helped more than a million customers remove bot infections from their PCs.
BK: Is this a manual or automated process?
CCC: The detection of bots, collection, analysis and alerting of affected users is mostly automated.
BK: Is there a direct cost to ISPs for participating? Is it compulsory in any way?
CCC: Involvement is optional for ISPs, but they get the benefit of a system they can provide free of charge to their customers to deal with bot infections.
BK: What is the policy among participating ISPs as to how they deal with customers whose systems are botted? How long do they have to be on the list of problem PCs to get a notice?
CCC: It’s generally up to the ISP on how to deal with infected users. ISPs receive infection notices from the CCC project, but the ISP will follow their own procedures to contact the user. So, the exact means they use to deal with infected customers and the timing is the ISP’s decision.
BK: Is that notice sent via e-mail, or snail mail? Both?
CCC: On the whole, notices are sent via email, but some ISPs are trying to improve on the response rate by using both email and snail mail. Here’s an example of one type of page that notified users might be asked to visit.
BK: Do you think there particular aspects about the Japanese culture that might be a factor in helping this program succeed, such as societal mores that may not be present in other cultures?
CCC: That’s an interesting question. It’s hard to be sure whether or not there are particular cultural traits responsible for the CCC project’s success, though we expected that we might run into some user opposition at the beginning. For example, users asking “Why are they trying to spy on my computer?”, or that infection notices would be interpreted as trying to interfere too much. Even though we’d identified this as a risk, the replies we received expressed thanks, with very little negative feedback. Perhaps this kind of acceptance when an outsider points something out is partly a trait of typical Japanese personalities.
One other difference might be that overseas, anti-bot activities involve law enforcement agencies trying to catch criminals or perhaps focusing on making life difficult for those infected. However, the CCC doesn’t have significant police co-operation. We’re just contacting people who get infected, as well as raising awareness of the problem. Perhaps this kind of approach is also particularly Japanese.
BK: I notice that the rate of downloading disinfection tools by alerted users is 30 percent (cumulative). So that means that for every 10 people notified about a bot on their system, 3 people will respond and download available removal tools? Or could it be that removal tools just aren’t available for the bot that’s on their system?
CCC: From the users who receive the infection reports, around 40% access the CCC website and about 30% download the CCC Cleaner removal tool. In other words, for every 10 people, 4 read the mail and visit the web site. By reading the guide on the CCC Cleaner web site, users can get to grips with the download process. So in answer to your first question, four out of ten people will visit the site, and three out of ten people will download CCC Cleaner. Additionally, the notifications are for users who are already known to be infected with a bot which can be disinfected. Therefore, there’s no chance that the removal tool will be completely useless for a particular user receiving an email.
BK: Does the number of alerts sent pretty closely track the number of bot infections detected? Or are there other factors that trigger when a customer whose machine shows signs of being botted gets notified?
CCC: When an infected user is detected, we send a notification. If the CCC project detects another bot infection after the first notification, another one will be sent.