Putting botnets on notice

Botnets are the scourge of the Internet, spewing spam and malware at every turn. They could also be malware’s weak link if ISPs wake up in time.


Like every Internet provider on the planet, BT has a problem with botnets, and like every Internet provider on the planet, it is a problem the company has until now been unwilling, or unable, to talk about. How many botnet-compromised PCs might the company be hosting within its domain of 2.8 million users? How much of the domain’s spam do they generate and to what end effect in terms of malware infection? Does the company have a policy for dealing with them? Is it even BT’s job to deal with them at all?

Last week’s news that it has bought an automated system from StreamShield Networks to hunt down and, if necessary, block them marks a huge change in direction, not only for BT but for the whole industry of Internet provision. If the average consumer and SME customer covered by the new system is still in the dark about what this will mean for them, it’s a move you’d hope might not have passed by BT’s rival ISPs. If botnets, spam and malware are ever to be curbed, technologies such as botnet-identification and blocking could turn out to be key.

Botnets are the clandestine networks of ordinary computers – "zombies" - hijacked to distribute malware, especially spam, on an automated basis. From an ISP’s point of view, they clog the arteries to email servers with unwanted traffic, and cause blacklisting problems as third-party ISPs moan about traffic abuse. For everyone else, they are now one of the major distribution mechanisms for malware, a fact that ISPs have, amazingly, been allowed to ignore.

Nobody really has any hard figures on how many botnets are out there at any one time, or what percentage of global spam traffic is now generated by them. But a real-time counter of suspected botnet and spam traffic through the world’s largest ISPs by security company Trend Micro offers compelling evidence that botnets are now at the centre of the whole spam problem.

Of the top 100 ISP list generated using Trend’s calculations – China, Eastern Europe and servers connected to Brazil feature large on the list – it is safe to say that the top offenders see themselves as little more than message relays. In other words, the traditional “solution” taken by the overwhelming majority of ISPs is still to ignore the problem and do nothing at all. It’s as if they now treat spam, and the bots that generate an unknown portion of this traffic, as acceptable noise.

It is likely that a few of them take a big axe to the worst spam offenders by employing port 25 blocking, a technique that forces email traffic to use an ISP’s servers where it can be blocked and filtered more easily. Blocking spam this way has severe limitations because it is precisely the filtering that drives spammers to distribute their spam via other people’s PCs in the first place.

The crazy thing is that the whole security industry is geared to stopping the symptoms of botnets, spam and malware, at one of the least efficient places to tackle it – the network edge or desktop. Spending on such systems is now worth billions, but still botnets and spam have thrived.

Systems such as StreamShield’s Content Forensics are actually a fairly new development, which might partly explain why ISPs using anti-botnet systems are a rarity. The deal with BT will see the system rolled out from its current trial point of presence in London to nine other key locations around the UK in the coming three months.

The technology works by scanning a large portion of the email that travels through the company’s network every day, performing traffic analysis to show who is sending how much email, when, and to where. This information can be used to quarantine users who appear to be breaking pre-set thresholds for their type of account such as would indicate that a user had become an unwitting botnet relay.

Geoff Bennet of StreamShield is adamant that the system will not generate false positives because it uses simple metrics to determine which PCs are behaving in the manner of a bot zombie, and which aren’t. And it will give BT a more effective weapon than the blunt one of port 25 blocking.

“I usually say that Port 25 blocking is like slapping a bandage onto an infected wound - it may stop the puss getting out and making a mess but it doesn't do anything for the patient.”

“One of the original goals of BT's Content Forensics project was to be able to measure the scale of the botnet problem without having to resort to fudge factors or estimates,” he says. “I know they've been extremely pleased with the Content Forensics pilot, and are very keen to take it to the next stage where they can automate the process of customer decontamination.”

The argument for using such a system is compelling. It can hit bots in the network layer, where they are most vulnerable. Contain the problem here and network and desktop security might in future become less critical in stopping this threat.

“The logic of the system is that the earlier you deal with the problem, the less likely it is to become a problem on your network,” says BT’s Adam Liversage. “if every ISP adopted this approach, it would go some way to tackling the problem.”

BT is being very brave here. At the moment, anyone falling foul of these thresholds will find themselves receiving a call from BT’s “abuse team”, suggesting ways of checking their system for infection. A suspect system could also find itself quarantined, which means having access to only a limited range of security-related websites. Sorting out every bot-infected user on the network, or stopping them becoming re-infected, could take time, however.

All BT’s broadband customers are currently automatically subscribed to Symantec’s anti-virus software, but it is also possible less technical users will need to be sold a visit from a engineer, with charges of £75 ($140) for the first hour. There is a risk that if a customer does not understand what is awry with his or her system, and is not willing to pay for it to be fixed, they will end up being disconnected. Feel like complaining? It’s all in the terms and conditions, and has been for some time.

If the way to tackle bots is to track them down and block them, the bot operators will have to start evolving. Thus far about the only thing they’ve devoted their energies to is simply making bots bigger, more controllable, and more sophisticated platforms for malware and spam delivery. But are ISPs willing to make an investment that will mostly benefit their customers?

“We have a couple of UK ISPs interested, but ISPs in general are a pretty conservative lot. They like to feel that somebody else has ‘pioneered’ a new solution. But we've already taken a few enquiries from US ISPs since the BT announcement,” reckons Bennet.

BT deserves credit for investing in stopping botnets, but not everyone is convinced it will be that simple. Identifying zombies is the easy bit, says Simplicita CTO Rob Fleischman, a StreamShield competitor.

“We have developed an integrated solution that identifies the zombies, isolates them in a quarantine, and presents consumers with resources to fix their machines including connectivity required to download tools, security definitions and operating system updates,” he says.

“The key issue for BT, and others, is that without an automated remediation platform they still need to contact infected subscribers one at a time by hand.” In fact, it is fairer to say that the StreamShield system can do this, but BT is leery of disconnecting users without careful consideration for customer relations and bad publicity.

The real test will be how many zombies StreamShield can root out. Botnet zombies have been put on notice, but it will be some months before the success of the system can be judged in earnest. But the conventional wisdom that security starts at the customer premises is on its last legs. The battle against bots begins in the ISP layer, and it is here that it will ultimately be won or lost.

"Recommended For You"

High-powered Botnet management application exposed Secretive security group emerges to highlight internet abuse fight