As Storm fades, botnet fight goes on

April 9, 2008 —

When Owen Walker was arrested for masterminding a massive international network
of compromised computers last year, it seemed like a major victory in the war
against botnets.

The 18-year-old New Zealander, who pleaded guilty to hacking charges last week,
was arrested in the second of a series of actions, called Operation
Bot Roast by the U.S. Federal Bureau of Investigation that were touted as
major strikes against cyber-crime.

"The operation was an attempt to kind of smoke the botnet underground
out," said Matthew Fine, the FBI special agent who worked on the case.
"Did we make a dent? That is for you to determine," he told attendees
during a panel discussion at the RSA Conference in San Francisco Tuesday.

According to one botnet hunter, not much has changed.

"I'm sorry to report this, but it did not make a dent in my workload,"
answered fellow panelist Joe Telafici, vice president of Avert operations with
McAfee Inc. "The problem today is many orders of magnitude worse than it
was."

Telafici believes that unless it becomes more expensive to run a botnet, nothing
will change. It's simply too profitable to run these networks, and when someone
like Owen Walker is arrested, there's always another criminal ready to take
his place.

Some botnets are fading. Helped by better detection on the part of Microsoft's
Malicious Software Removal Tool, which ships as part of the Windows operating
system, the infamous Storm botnet has shrunk to a fraction of its former size.

On Tuesday, security vendor SecureWorks published
a list of the largest botnets that are being used to send spam e-mail messages.
Storm barely made the top five.

The largest and fastest-growing network is called Srizbi. With an estimated
315,000 bots, it can send as many as 60 billion messages per day. Last fall
it made headlines when it sent out unauthorized spam messages promoting presidential
candidate Ron Paul.

Written in part by a contract programmer from the Ukraine, Srizbi thrives using
a technique known as social engineering -- it sends out links to malicious files,
claiming that they are pornographic videos of celebrities. When the user clicks
on the files, they become infected with the malware.

Storm has long thrived on social engineering techniques, too, sending malicious
e-mail that is often linked to events in the news or holidays. But it now has
only about 85,000 infected machines, and less than half of them are being used
to send spam.

The other top spam-spewing botnets are Bobax, also known as Kraken, which has
about 185,000 machines; Rustock, with 150,000, and Cutwail: 125,000.

In total, the botnets tracked by SecureWorks can send out more than 100 billion
messages per day. These networks use Web-based templates, offering infected
machines to the highest bidder as an easy software-as-a-service product.

So how to stop the problem? One panelist had an idea that may not sit well
with everyone: Internet Service Providers should knock users off the network
unless their patches are up-to-date. Because most botnet attacks target known
software bugs, having your patches up-to-date, especially for popular products
like Internet Explorer, Firefox, WinZip, and QuickTime, can make a real difference.

The only drawback: a good chunk of the Internet population would be knocked
offline until they patched.

Still, maybe it's a fair thing to do because these people are harming others,
according to Ira Winkler, president of the Internet
Security Advisors Group, a security consultancy.

Often victims who have been infected with botnet code, don't even realize that
the malware is on their system, he said. It's other computer users who must
bear the brunt of the problem when the botnet network spams or launches a denial
of service attack against them.

"We need home users to be responsible," he said. "Yes blame
the users... because they present an imminent danger to others."

IDG News Service