The U.S. departments of Homeland Security and Commerce have issued a request for proposal to develop a program which would have major ISPs detect and notify customers they are part of a bot army.
Homeland Security and Commerce departments are considering a
voluntary program in which Internet service providers will proactively detect
infected computers participating in a botnet.
The Department of Homeland Security, National
Telecommunications and Information Administration and the National Institute of
Standards and Technology published a request for comments on the proposal,
posted on the Federal Register
Sept. 21. Under the program, Internet service
providers would detect botnet activity on their networks and notify customers
their computers had been infected by malware. Comments are due by Nov. 4.
Still in early stages, the program doesn't have a lot of
details yet. While it would be voluntary, it doesn't mention who will be
enforcing the program, or who will handle the actual cleanup process after the
user has been notified. It also doesn't address privacy concerns if the ISP has
permission to inspect network traffic or who will pay for the cost of
implementing the program.
The program would "reduce the harm that botnets inflict
on the nation's computing environment," according to the posted request.
The agencies suggested creating a resource center, run
either by the private sector, the government, or a public-private collaboration
to provide centralized support.
The idea of having ISPs scan network traffic to determine if
any of the packets are indicative of botnet behavior is not a new one. Comcast
implemented its own infection notification system in October. The
"Constant Guard" service, provided by Damballa, notifies users via a
Web banner and email if the systems exhibit botnet behavior. Cox
Communications also notifies users when it discovers their computers had been
Australia's Internet Industry Association last year launched
iCode, a program in which ISPs redirect systems suspected of having bot malware
to a site with instructions and tools on removing malware. Over 30 Australian
ISPs participate in the program, covering about 90 percent of Internet users in
the country. Japan's Cyber Clean Center uses a honeypot to find compromised
users and then alerts the ISP, which then notifies the customers.
Cyber-criminals collect machines for their zombie armies by
sending out emails with malicious links and attachments, spamming out links on
instant messaging services and social networking sites, and tricking users to
visit malware-laden Websites. Once the computer is compromised, it receives
instructions from a remote command-and-control server and executes them.
Damballa's vice-president of research, Gunter Ollman, estimated that about 18 to 22 percent of customers in an ISP are infected with botnet malware.
"Considering the large number of unprotected or poorly
protected PCs in the United States, I welcome any effort to raise awareness
among consumers that their computers are infected," Chester Wisniewski, at
Sophos, wrote on Naked Security blog.
The initiative would make it more expensive for cyber-criminals
to rent botnets, Wisniewski said. Criminals rent out botnets to launch their
campaigns and rely on the fact that the users are unaware their computers had
been compromised and was participating. If a wide-spread service was notifying
users, the bot herders will have a harder time maintaining their zombie army.
The request for proposal requested "all Internet
stakeholders" to submit ideas and comment on potential models for
detection, notification, prevention, and mitigation of botnets. The RFP should
consider what practices are effective in detecting botnets and what mechanisms
are already in place.