U.S. Government Proposal Would Enlist ISPs to Fight Botnets

The U.S. departments of Homeland Security and Commerce have issued a request for proposal to develop a program which would have major ISPs detect and notify customers they are part of a bot army.

Homeland Security and Commerce departments are considering a voluntary program in which Internet service providers will proactively detect infected computers participating in a botnet.

The Department of Homeland Security, National Telecommunications and Information Administration and the National Institute of Standards and Technology published a request for comments on the proposal, posted on the Federal Register Sept. 21. Under the program, Internet service providers would detect botnet activity on their networks and notify customers their computers had been infected by malware. Comments are due by Nov. 4.

Still in early stages, the program doesn't have a lot of details yet. While it would be voluntary, it doesn't mention who will be enforcing the program, or who will handle the actual cleanup process after the user has been notified. It also doesn't address privacy concerns if the ISP has permission to inspect network traffic or who will pay for the cost of implementing the program.

The program would "reduce the harm that botnets inflict on the nation's computing environment," according to the posted request.

The agencies suggested creating a resource center, run either by the private sector, the government, or a public-private collaboration to provide centralized support.

The idea of having ISPs scan network traffic to determine if any of the packets are indicative of botnet behavior is not a new one. Comcast implemented its own infection notification system in October. The "Constant Guard" service, provided by Damballa, notifies users via a Web banner and email if the systems exhibit botnet behavior. Cox Communications also notifies users when it discovers their computers had been infected.

Australia's Internet Industry Association last year launched iCode, a program in which ISPs redirect systems suspected of having bot malware to a site with instructions and tools on removing malware. Over 30 Australian ISPs participate in the program, covering about 90 percent of Internet users in the country. Japan's Cyber Clean Center uses a honeypot to find compromised users and then alerts the ISP, which then notifies the customers.

Cyber-criminals collect machines for their zombie armies by sending out emails with malicious links and attachments, spamming out links on instant messaging services and social networking sites, and tricking users to visit malware-laden Websites. Once the computer is compromised, it receives instructions from a remote command-and-control server and executes them. Damballa's vice-president of research, Gunter Ollman, estimated that about 18 to 22 percent of customers in an ISP are infected with botnet malware.

"Considering the large number of unprotected or poorly protected PCs in the United States, I welcome any effort to raise awareness among consumers that their computers are infected," Chester Wisniewski, at Sophos, wrote on Naked Security blog.

The initiative would make it more expensive for cyber-criminals to rent botnets, Wisniewski said. Criminals rent out botnets to launch their campaigns and rely on the fact that the users are unaware their computers had been compromised and was participating. If a wide-spread service was notifying users, the bot herders will have a harder time maintaining their zombie army.

The request for proposal requested "all Internet stakeholders" to submit ideas and comment on potential models for detection, notification, prevention, and mitigation of botnets. The RFP should consider what practices are effective in detecting botnets and what mechanisms are already in place.