To my mind its been obvious for many, many years, since before we even spoke of “botnets”: The only way to stop them is to get ISPs on board, to have them look for malicious behavior and stamp it out, even from paying customers.
Recently a large ISP took such a step: BT (that used to stand for “British Telecom” the way “AT&T” and “IBM” used to stand for something) announced that it will be implementing outbound spam detection with products and services from StreamShield Networks. BT is a dominant DSL player in the United Kingdom.
As I wrote a few weeks ago, tools are beginning to emerge for ISPs to fight back.
The ICSS tool I described there focuses on DNS, a very good place to look. There are many other approaches, and used in concert they can catch a great deal.
The StreamShield Networks Content Forensics tool that BT will be using looks for spam by monitoring SMTP traffic, a more conventional route. You can tell a lot just by looking at rates of mail transmission.
Another opportunity for ISPs comes from Simplicita, which lets ISPs network with others and with reputation and security companies to share data on bots and coordinate it with their own internal data.
With this data, Simplicita claims that their ZBX remediation system can identify bots as they come online or send e-mail and then do the NAC trick of isolating the system in separate subnet, sometimes called a “walled garden.”
“Here subscribers are alerted to the problem and provided with resources to fix their machines including connectivity required to download tools, security definitions and operating system updates.”
It presents interesting business opportunities too. Simplicita announced a partner program called RDP (Reputation Data Partner program) with Cloudmark, Habeas, Shadowserver and Sophos, each of which feed data into the network, including phishing URLs, and join in on marketing and referral programs.
And yet experts on botnets seem to feel that the battle is already lost. Whats up here? The basic argument is that botnets are so large and sophisticated that theres no way they can be taken down.
To quote security maven Gadi Evron “[t]heyve advanced to the point where there is no command and control to find and take down. For a while, the command and control was the weak link. Today, theres enough redundancy and alternative control channels to keep them alive.”
I have to think though that individual ISPs can, with the right tools, clean up their own networks pretty well. In fact, the tools arent the hard part of the equation; shutting off customers is.
Even if tools like this become widely used, they will never become universal enough to wipe out bots. There are too many, and they are too nimble.
But in the long term the ground will be less fertile for bots.
While data from Microsofts Malicious Software Removal Tool shows bots to be a “significant and tangible threat to Windows users,” it also showed that the threats were overwhelmingly to older versions of Windows, prior to Windows XP SP2.
Its reasonable to assume that threats to Vista will be substantially lowered compared to SP2. In the long term, the more vulnerable versions of Windows will be thinned out of the population.
My future isnt totally blue-sky, but Im a little more hopeful than the hard-core experts. Maybe theyre a little too close to the bots.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at [email protected]