Is It Really Too Late to Beat Bots?

 
 
By Larry Seltzer  |  Posted 2006-10-25 Email Print this article Print
 
 
 
 
 
 
 

Opinion: The experts are disconsolate over the battle against botnets, but I think the longer term is promising.

To my mind its been obvious for many, many years, since before we even spoke of "botnets": The only way to stop them is to get ISPs on board, to have them look for malicious behavior and stamp it out, even from paying customers. Recently a large ISP took such a step: BT (that used to stand for "British Telecom" the way "AT&T" and "IBM" used to stand for something) announced that it will be implementing outbound spam detection with products and services from StreamShield Networks. BT is a dominant DSL player in the United Kingdom.

As I wrote a few weeks ago, tools are beginning to emerge for ISPs to fight back.
The ICSS tool I described there focuses on DNS, a very good place to look. There are many other approaches, and used in concert they can catch a great deal.

The StreamShield Networks Content Forensics tool that BT will be using looks for spam by monitoring SMTP traffic, a more conventional route. You can tell a lot just by looking at rates of mail transmission.

Another opportunity for ISPs comes from Simplicita, which lets ISPs network with others and with reputation and security companies to share data on bots and coordinate it with their own internal data.

With this data, Simplicita claims that their ZBX remediation system can identify bots as they come online or send e-mail and then do the NAC trick of isolating the system in separate subnet, sometimes called a "walled garden."
"Here subscribers are alerted to the problem and provided with resources to fix their machines including connectivity required to download tools, security definitions and operating system updates."

It presents interesting business opportunities too. Simplicita announced a partner program called RDP (Reputation Data Partner program) with Cloudmark, Habeas, Shadowserver and Sophos, each of which feed data into the network, including phishing URLs, and join in on marketing and referral programs.

The SpamThru Trojan uses P2P technology to send commands to hijacked computers and an anti-virus scanner that introduces a never-before-seen level of complexity and sophistication. Click here to read more.

And yet experts on botnets seem to feel that the battle is already lost. Whats up here? The basic argument is that botnets are so large and sophisticated that theres no way they can be taken down.

To quote security maven Gadi Evron "[t]heyve advanced to the point where there is no command and control to find and take down. For a while, the command and control was the weak link. Today, theres enough redundancy and alternative control channels to keep them alive."

I have to think though that individual ISPs can, with the right tools, clean up their own networks pretty well. In fact, the tools arent the hard part of the equation; shutting off customers is.

Even if tools like this become widely used, they will never become universal enough to wipe out bots. There are too many, and they are too nimble.

But in the long term the ground will be less fertile for bots. While data from Microsofts Malicious Software Removal Tool shows bots to be a "significant and tangible threat to Windows users," it also showed that the threats were overwhelmingly to older versions of Windows, prior to Windows XP SP2. Its reasonable to assume that threats to Vista will be substantially lowered compared to SP2. In the long term, the more vulnerable versions of Windows will be thinned out of the population.

My future isnt totally blue-sky, but Im a little more hopeful than the hard-core experts. Maybe theyre a little too close to the bots.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at larryseltzer@ziffdavis.com. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
 
 
 
 
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel