May 29, 2012

The Obama administration will hold a public meeting at the White House on Wednesday to discuss industry and government efforts to combat botnet activity. Among those is a pilot program to share information about botnet victims between banks and Internet service providers, according to sources familiar with the event.

The gathering will draw officials from The White House, US Department of Commerce and Department of Homeland Security, as well as private-sector executives from an entity formed in February called the Industry Botnet Group. The IBG counts among its members trade associations, companies and privacy organizations that are working to create a voluntary model that ISPs can use to notify customers with infected computers.

Although a number of ISPs already notify customers of bot infections, there is no uniform method for reporting these events. Attendees at Wednesday’s meeting are expected to announce — among other things — an information sharing pilot between ISPs and financial institutions that are part of the Financial Services Information Sharing and Analysis Center, an industry consortium dedicated to disseminating data on cyber threats facing banks.

The pilot to be announced this week will draw on a nascent extension of IODEF, an Internet standard developed by the Anti-Phishing Working Group to share data about phishing attacks in a common format that can be processed automatically and across multiple languages.

The event will coincide with a workshop being held Wednesday by the National Institute of Standards and Technology, regarding the technical aspects of botnets.

Botnets are the engines driving nearly all criminal commerce on the Internet today, from spam, to malicious software and e-banking heists. Botnets also are the weapon of choice for launching distributed denial of service (DDoS) attacks aimed at knocking targets offline. In some cases, crooks conducting cyberheists against businesses have been launching DDoS assaults against the victim’s bank — as in the case of account takeovers involving the Gameover Trojan. Prolexic, a company that specializes in tracking and blocking DDoS attacks, recently said it logged an almost threefold increase in the number of attacks against its financial services clients during Q1 compared to Q4 2011.

This Web site has occasionally been the target of DDoS attacks. Last week, an army of more than 120,000 systems attacked, knocking it offline for several hours. Imagine Michigan Stadium entirely filled with sick computers instead of people, and you have some idea of the size of the zombie horde that marched on my site (there would still be about 5,000 to 10,000 computers left without seats).

25 thoughts on “White House Aims to Stoke Botnet Fight

  1. Michael Jones

    In the book “Worm: The first digital world war” author Mark Bowden describes how the Conficker working group tracked a worm which could have created the largest botnet ever. In this book it was clear that the federal government had no idea what was going on. I hope a lot’s changed since then!

  2. Jack Duggan

    I saw that your site was down and conjectured that it might have been related to your posting the previous day.

  3. JimV

    “coincide with a workshop behind held”

    I think you meant to write “being held”, but since most government efforts in cybersecurity (with the possible exception of the Stuxnet and Flame malware) always seem to be ‘behind the 8-ball’, ‘behind the curve’ or ‘behind the bad guys’, perhaps the mixing of metaphors was just due to flying fingers at the keyboard as the brain moved on to more important things…

  4. Terry Ritter

    There is ample reason to be discouraged about the bot situation, because a solution would require more than just doing the old things harder. The problem is getting worse, and firewalls, patching and anti-virus scanning are never going to solve it.

    OK, so what is the problem? The bot problem is that remote bad actors are able to insert their instructions into user systems, and have that code run on each session.

    Are we going to be able to find and stop all the bad actors? No.

    Can we identify all the points of entry and close them? No, because the range of possibilities is huge, and the ones used can and do change rapidly.

    Is it possible to build an operating system which, by itself, can resist attack? No, because an OS is large and complex and errors are inevitable. Then, when the OS is subverted, the bot “owns” all the permissions and protections in the OS, and does what it wishes.

    Which leaves the “infection,” the ability to have the bot come back on later sessions. To infect, the running malware needs to install bot code into the OS or some file which will be executed after startup. To install a bot, the malware has to change the stored OS program code. Finally we have something which can be prevented.

    The system I use is Puppy Linux, from DVD, on a computer without a hard drive. I present it not as a solution, but as a working example. The OS loads completely from DVD into memory and then the DVD can be removed. Operations and applications are fast. I am using it now, and it is very reasonable for me.

    This sort of “thin client” system does require considerable flexibility and willingness to use “cloud” resources. Without a hard drive, local work is not automatically saved. But it really is not all that hard to save online when desired. I have been doing this for years.

    Absent a writable drive, the OS does not become infected. And when a single infection leads to many malware sessions, it is the infection which is the main problem. Prevent the infection and malware only runs on those few sessions where it somehow gets in. Not a perfect solution, but a manageable result. Users just reboot from the DVD before doing online banking.

    The Puppy approach would not work well for many people. What it is, is a working demonstration that infection can be managed and almost completely prevented in practice. It is a demonstration that our equipment and OS are part of the problem. The problem has been around for decades, but our new equipment is still not secure. Design and build systems that prevent infection, and you generally solve the problem. It has not taken 2 decades of reasoning to get to this insight, and yet we still have what we have.

    Since the computer companies have been unable to protect us, I suggest that the government type-approve computer equipment to be “difficult or impossible to infect.” That would mean computers, of course, but also routers, networked printers, cell phones, tablets, and everything else. Then we have a handle on the problem.

    I have written extensively on this for years, both here and on my pages, including a response to the US Government on bots:

    So far, nothing has changed, which is ample reason to be discouraged.

    1. AlphaCentauri

      But the topic of this article is dealing with OTHER people’s computers that are already infected, other people who would have no earthly idea what you mean by “the OS loads completely from DVD into memory.” Keeping your own little plot of internet real estate trojan-free still won’t protect you from being DDoS’d by all the other bots.

    2. Neej

      “… is a working demonstration that infection can be managed and almost completely prevented in practice.”

      “The Puppy approach would not work well for many people.”

      I wouldn’t call “not working well” a very good demonstration of managing and preventing malware infection in practice. Your method does considerably lower risk of course.

      There is a balance between testing complex software such as operating systems or email clients for security holes and commercial practicality that must be met. No vendor wishes to release insecure software and more testing could be carried out. But to test every possible permutation and scenario would mean software would either almost never be released or be prohibitively expensive.

      1. Terry Ritter

        @Neej: “I wouldn’t call “not working well” a very good demonstration of managing and preventing malware infection in practice.”

        The demonstration shows that various claims like “our equipment is as good as it can be” or “the users cause the problems” are clearly false. The problem is not the users, it is instead the system design; the hardware and software.

        The demonstration presents one valid solution, presumably out of many. The demonstration also shows that complex cryptography and centralized software certification are not needed to address the bot infection problem.

        “There is a balance between testing complex software such as operating systems or email clients for security holes and commercial practicality”

        The reality is much worse than that: It is literally impossible to test for every possible error.

        The idea that OS code should be protected by hardware is clear and testable. A wide range of system designs could embody the same basic concept.

    3. Adrian G

      Isn’t the main issue with this approach the difficulty of patching the OS/apps? Unless you recut the image at frequent intervals (and what proportion of users will do that?) then you would soon find yourself running with a number of known exploitable vulnerabilities.

      Slammer showed that local persistance is not necessary in a networked environment – you could clean a Slammer infected PC by simply rebooting it (much like in your proposal), but it would get reinfected, often within seconds, when it reconnected a network containing other infected machines.

      Also, there are other opportunities to get persistance, either locally (e.g. infecting the BIOS), or remotely (e.g. infecting documents stored on your cloud storage, or by infecting the BIOS).

      1. Terry Ritter

        @Adrian G: “Isn’t the main issue with this approach the difficulty of patching the OS/apps?”

        The reason I keep mentioning Puppy, as opposed to Linux in general, is that Puppy has the ability to update a “multisession” boot CD or DVD with an additional “session.” So first boot from DVD, then immediately update e.g., browser and add-ons. Then do a manual “save,” which writes only new files to a new session on the DVD. The DVD thus archives all versions of each file. Subsequently, at boot time, only the latest copy of each file is loaded. After a boot or a save, the DVD can be removed. This works.

        “you could clean a Slammer infected PC by simply rebooting it…but it would get reinfected”

        The worm era is the reason we now have firewalls, and ended when Microsoft enabled their firewall by default. Basically, the worm exploits an exposed fault, which we then have to fix, and which we have fixed. Absent that fault, malware needs some other way to run on future sessions, which is the infection problem we now have.

        “Also, there are other opportunities to get persistance, either locally (e.g. infecting the BIOS)”

        It is a little difficult to put all possibilities in a blog comment, but you will find that in my earlier work. In my view, it will be necessary to have new hardware to read and possibly rewrite flash contents for any flash BIOS on any board. This is a serious issue, but not the problem we currently have, at least as far as we know.

        “or remotely (e.g. infecting documents stored on your cloud storage”

        The idea that documents can infect is an artifact of a Microsoft philosophy which has caused endless trouble. Fortunately, those issues can be identified and patched, and, presumably, most of that has been cleaned up by now. We cannot expect to patch our way out of bot infections.

  5. Uzzi

    Hold software companies liable for their products: developers of commercial OS could know what’s going on and which licenses are hijacked.

    If developers want to they could pop up a warning in their OS to tell users something went wrong, just like AV developers do.

    The hardware industry must tell people not to dry their animals in microwaves and to keep small parts away from toddlers… But if it comes to OS software the developers don’t tell their customers how to verify if clicking on a file with a specific hashcode is safe nor do they update their own outdated software. They just suggest installing anything could be unsafe and stop support just after a few yeaws.

    Yes, I know it was such a wonderful life just collecting all that easy money and let the ISPs care for infected PCs and let them explain dumbasses how to set up machines anew: If OS was on a chip… let’s say a ‘w32pentOSium’ and let’s assume there are some hundred vulnerabilities e.g. FDIV_Bug001 to FDIV_Bug666, well, why not bring ISPs and government together to inform customers to clean up those bugs… */facepalm*

    1. Uzzi

      Kaspersky Lab, Revenue … $612 million (2011)
      Symantec Corporation, Revenue … $6.19 billion (2011)
      Microsoft Corporation, Revenue … $69.94 billion (2011)

  6. DavidM

    While this will help to an extent, it’s unrealistic to expect that you could get every computer clean. If you ask e the major problem with this is with ICANN, the ASN’s, registars and the upstream and downstream providers. Currently there are way too many crime friendly ASN’sn out there that the bad guys can move to…but if you were able to get the upstream providers to put the pressure on the downstream providers to rout the bad guys out of their service or face a termination of and further connectivity would have a more devastating effect to the bad guys.

    As it sits now, there are so many bullet proof bad guys services out there that the bad guys know they wont get kicked off, but if the upstream guys cut those ASN’s off. You’d start to eliminate the bad guys opyions. No connectivity means there botnet starts to go down hill.. fast.

    While that is one step in the war eggting companies like e-nom, namecheap etc to suspend known bad actors would certainly help.

    ICANN seems to be more of a UN actor in the fight against cybercrime, while they talk a lot their follow thru needs work. They are susposed to be the govening body but yet dont seems to push or punish those they know are abusing the net.

    Look at the McColo incedent… All the bad guys they had on their network were scrambling once the plug got pulled on their cybercrime friendly network. It worked wonders. Yes their were those that ran to another provider but when some of those providers were informed they too pulled the plug on the bad guys that moved there. There has to be a concerted effort to get the cybercrime friendly isp’s off the grid. I am not talking about those that have no clue, I am sure there are some isp that have no clue, but there are far to many that know the holes in the system and how they can skirt by. Hit them where it hurts.

    1. Uzzi

      Dear David, I guess we should differentiate between infected costumers computers and C&Cs (or cybercrime friendly networks) here:

      Infected costumer computers are rarely found on cybercrime friendly networks. Those infected machines are spread all over the world and the problems is:

      ISPs can’t disconnect their customers in time (if abusedesks work good, they inform customers within 1-2 working days and if customers care they desinfect their pcs and maybe sooner or later are infected again).

      But if you look at ‘DNSChanger’ legal practice accepts almost a year to clean up infections…

      …and on the other hand you have some cybercrime friendly networks hosting those C&Cs to orchestrate botnets for several years.

    2. AlphaCentauri

      DavidM, I agree, it’s important to go for hosts like McColo. But I disagree that getting the bots off the network is too big a task to be worth bothering about.

      I have found that people often dismiss the importance of spam and the fraudulent sites it advertises. For instance, we often see people post on Brian’s blog accusing antispammers of being the tools of the US pharma industry. People are perfectly willing to believe that spamvertised pharma sites are legitimate overseas pharmacies rather than scammers.

      But when you can show that the IP mailing the spam or hosting the site is part of a botnet victimizing the owners of computers in particular jurisdictions, or that the same botnet advertising fake viagra is also used to conduct DDoS’s or to hack into networks, it’s easier to get people to take the problem seriously.

      All that viagra and enlargement spam is making it financially attractive to create those botnets in the first place. The fact that they can operate so openly without anyone taking much notice has allowed them to grow their botnets to the point that they can be used as weapons. The botnet controllers don’t care who knows which IP addresses they’re using, because so few computers will be disinfected as a result.

      Any plan that makes it more risky for them to reveal the IP addresses of the computers under their control automatically limits the uses for which they can rent their botnets.

  7. Terry Ritter

    @AlphaCentauri: “But the topic of this article is dealing with OTHER people’s computers” “Keeping your own little plot of internet real estate trojan-free still won’t protect you from being DDoS’d by all the other bots.”

    I think the article is about fighting bots in general, not just DDoS. In particular, bots are a major issue for online banking, a frequent topic here. DDoS attacks are well understood, and only so much can be done when a malicious botnet is directed to attack. The solution is to not have botnets. The way to not have botnets is to not have bot infections.

    It would be nice to have a patch for existing flawed systems so they would be “difficult or impossible” to infect. That is how we got firewalls (including firewall hardware), plus patching and scanning. But they do not stop the bot infection problem.

    After so much effort for so little effect, there is no reason to expect that any software patch or process or program will somehow fix the bot infection problem in general. Meanwhile, society continues to buy flawed equipment and the problem rolls on.

    A bot has access to everything in, and flowing through, the computer, including website and banking passwords. By avoiding infection, we avoid those problems, and also do not not participate in DDoS attacks ourselves.

  8. Uzzi

    Do you agree that the internet would be a better place if Microsoft decides to give customers an understandable and easy to use administration interface and the support they deserve? …and can you imagine they will if not US government holds them liable for their products? 😎

  9. Neej

    I can’t help be struck by a number of posters making claims that it’s possible to create hardware and software systems that are almost impossible to attack.

    I think that while it’s *possible* it’s simply not feasible based on the current ecosystem of computing and the major role it plays in modern life. There is a gap between “something should be done – it’s possible” and the practicalities of doing so.

    Practicalities that would mean less usage of computers in the major role they play in our lives due to less convenience and higher financial cost – it’s sort of pointless to suggest these solutions since people would just go back to the non-computer equivalent of whatever task. They would do their banking by walking into a physical bank for example.

    I think of it as akin to owning a house in a very loose analogy that only partially captures the issues here: it’s simply not practical for the average Joe to own a dwelling that is completely secure even though it’s possible to build one. Ignoring costs one would end up with something like a modern American penitentary experience whenever you wanted to enter your home.

    You guys are missing something basically making these claims. If you disagree with me great – you should make good on your claims and you will be rich indeed if you can provide a practical solution.

    1. Terry Ritter

      @Neej: “I can’t help be struck by a number of posters making claims that it’s possible to create hardware and software systems that are almost impossible to attack.”

      First, it is obviously possible to *attack* anything, provided success is not an issue. And it is likely possible to *defeat* any OS, since they are large, complex systems which will have errors.

      Other things are *not* possible: It is not possible to write to a DVD which is out of the drive. That is *impossible*, with a hardware guarantee. The claim is that a DVD-load “thin-client” system is *almost* impossible for malware to *infect*. Of course there would be various other ways to design systems with similar security.

      “Practicalities that would mean less usage of computers in the major role they play in our lives due to less convenience and higher financial cost”

      That sounds wildly wrong to me, and I use such a system all day, every day, including now.

      Naturally, one does need to get used to a new system, one which has not been designed with wide-open insecurity. That is a big change, and it takes some learning and acceptance of new limitations. Security will always mean some inconvenience beyond just doing anything with no care at all. But much of this can be hidden if the human interface is extended for the new environment.

      The problem situation arises when people want to use applications the way they have always been used. Businesses are a particular issue when they insist on using old applications. However, nobody anywhere can expect to insist on using insecure systems and also expect to be secure at the same time. Security may require that online applications be limited to those developed for secure environments. Some users will have to wait.

      The added cost to reach my Puppy Linux demonstration today may be as much as a DVD writer and a DVD disc. In production, other approaches should have a similarly low cost.

      “it’s simply not practical for the average Joe to own a dwelling that is completely secure even though it’s possible to build one.”

      That only counts as long as the average Joe is not commonly invaded. When criminals are not controlled by the laws and police of society, homeowners might have a different view of their physical security. And botnet attackers are not controlled.

      “you should make good on your claims and you will be rich indeed”

      Hardly anybody will understand this stuff until they are hit in the face with the result. The situation is similar to motor vehicle design: Who among us could see an automobile design fault that later would cause an expensive and potentially fatal crash?

      We have laws to insist that auto manufacturers design safe cars. There are no similar laws to enforce safe design on computer manufacturers, so we continue to get unsafe products.

      1. AlphaCentauri

        If it caught on widely enough that the average person had heard that puppy linux would keep them safe, I guarantee there would be phishing emails claiming to be from banks and advising their depositors to download “puppy linux” from a link that actually leads to malware. Could make for some interesting calls to tech support from people who think they’re running puppy linux, too.

  10. David g

    “Follow the money”
    It is interesting that the most secure O/S’s are community owned. Money and locked up code is a double edged tool. Paid for O/S has locked up code that few developers have access to, this slows up patches and solutions it also indicates that all O/S’s by the same vender has the same codes further escalating the risks. The O/S is also writable.

    I am a Linux educator using puppy linux which I have found to be fast and secure. As the O/S can be loaded from a none writable customizable O/S files with all the applications in the same files. ( you roll the os to the customers requirements) cost 16 pence + 15 minutes computer time = 10 .16 GBP.

    You always start from a none infected state. Connect to the internet only when necessary and i store my data on a file server which is isolated from the internet on a separate LAN so its hard to infect.
    Cost of hardware? I use computers that vista and 7 wont even run on.
    For banking I use the same O/S in live mode with no data loaded.
    Using shealds up and ferensic tools a puppy pc cannot be seen on the internet and the posts only open when data is transmitted.
    Microsoft are in my opinion making a mistake by gathering user data from computers as this opens ports that the user is unaware of.

  11. qka

    Imagine Michigan Stadium entirely filled with sick computers instead of people

    Having gone to another Big 10 school, this is an appealing image.

  12. Richard Steven Hack

    Given that it is now clear that the White House directly ordered the construction of the StuxNet malware, I find it ironic that they now want to “deal with botnets”, er, botnets that they didn’t make themselves, apparently.

    As an aside, I think we now know who created the Flame malware, as well…

    As for the use of “hardware-constrained online banking”, there was considerable discussion of this over at Bruce Scheier’s blog a few months back. Several people proposed ideas which could be made to work in a very cheap device that businesses could install which would present a minimal or close to nonexistent attack surface.

    The problem I think is that so few business owners, let alone consumers, can understand the concepts involved in such a device, let alone agree to buy them if they have to shell out the money themsevles. However, I suppose this could be side-stepped by either effective marketing or government mandate either on consumers or the banks.

    Basically the situation remains as my meme describes: You can haz better security, you can haz worse security, but you cannot haz “security”. There is no security. Deal.

Comments are closed.