International rescue: cooperation against the botnets

The problem with tackling botnets is that the infected PCs used to launch cyber attacks do not keep within national boundaries. Now law enforcement agencies are making the battle against botnets a global one


International cooperation is playing an increasingly important role in helping stamp out cybercrime, according to FBI officials who recently announced a series of arrests of US-based botnet controllers and the identification of over 1m infected machines.

Security researchers have long maintained that a key obstacle to shutting down botnets - banks of computers infected by viruses that allow them to be secretly used to carry out electronic attacks - is the distributed global nature of the individuals responsible for operating the networks of zombie PCs.

The conventional wisdom has been that US law enforcement officials have struggled to find the budget and staffing resources necessary to track down cybercriminals operating on their own turf, let alone find a way to identify and arrest people distributing malware code or operating botnets who are based all around the world.

But international cooperation is making a difference. "We've been successful in building relationships with foreign law enforcement officials and have agents in 60 countries around the globe working full time on cyber-crime along with police departments and other agencies," says Shawn Henry, deputy assistant director of the FBI’s cyber division.

"We've seen some significant developments over the last few years in that area."

Henry admits that the very nature of cutting-edge botnet herders can make them hard to find, as perpetrators move from one bank of infected machines to another quickly to avoid detection.

But he says partnerships with governments around the world are playing a vital role in aiding the agency's ability to thwart the attacks.

"This type of crime can be committed by someone with minimal resources, sometimes using publicly available tools, which makes it a challenge to identify who is responsible.

“But international cooperation has allowed us to pursue these efforts in many countries, and we are also helping other nations fight operators located in the US as this is a problem that goes both ways," Henry said.

In its most recent botnet hunt, the FBI rounded up Robert Alan Soloway, thought to be one of the US's main sources of botnet-driven spam email, along with James Brewer, who is alleged to have infected several hospitals with botnet programs, and Jason Michael Downey, who is charged with running botnets that were used to carry out denial of service attacks.

The IT security community has generally felt that computer-based attacks are low on the FBI’s agenda and that efforts to stop such crimes do not have the same financial backing as its other pursuits.

But Henry says: "Cyber crime is our number three priority behind anti-terrorism and counter-intelligence, we devote a lot of resources to it, and director Mueller sees it as a significant criminal problem and is very supportive of our efforts. We also get ample support from the US Department of Justice and have been successful with the legal tools that are being made available to us."

Despite making headway, Henry says the battle against botnets and other forms of cybercrime remains an "electronic cat and mouse game" as perpetrators move to new methods of attack.

The FBI assistant director says the agency hopes businesses and consumers will become more vigilant and aggressive in lending a hand by keeping their computers protected with the latest anti-virus programs.

The agency is also advising potential victims of cybercrime to pursue investigation of such activity by contacting their internet service providers, rather than contacting the FBI or other law enforcement organisations directly.

Security industry experts lauded the FBI's work to identify and detain hackers as part of its Operation Bot Roast, which led to the arrests of Soloway, Brewer, and Downey. But at least one authority says the agency may be creating false expectations by telling people to fight crime via their ISPs.

Web access providers, particularly those that cater to residential markets, have minimised helpdesk support to save overhead costs, and customers may find themselves being asked to pay for additional security services when they call their ISPs to complain, says Danny McPherson, chief research officer at security filtering specialists Arbor Networks. Arbor provides network behaviour analysis tools to a number of well-known ISPs, including BT and US firm AT&T.

Asking ISPs to become a de facto police for stopping botnet activity is impractical for a number of reasons, McPherson says. "You tend to see a lot of people, not just law enforcement, calling for quarantines of suspected botnet infected IP addresses, but you can't just start blocking legitimate users who may not know they are involved. What if you stop someone from making a VoIP-based emergency services call?”

He adds: “If someone gets blocked by their ISP, they're going to move to another provider. Systems and solutions to automate the security defences needed to address this problem are being developed, but it will take time, and most infrastructure out there won't natively support that sort of work today."

McPherson says it is encouraging to see cooperation between US law enforcement officials, but he believes the botnet issue will remain a major problem nonetheless.

"It's good to see that there is more global information sharing going on, and that local governments are taking responsibility for cleaning up their own backyards, but with millions of bot hosts and more than 90% of those outside the US, I think they're still only putting a tiny dent in the problem at his point,” he says.

Other security industry experts agree that it will take a lot more effort on the part of the international law enforcement community to have any noticeable impact on botnets and other cybercriminals.

But efforts such as Bot Roast will make botnet operators worry that they may be brought to justice, says Alan Paller, director of research for IT security training provider SANS Institute.

"At this point, the law enforcement community still can't get much done because so many of the perpetrators are located in so many places where there are no cooperative agreements," he says.

"But what they are doing is increasing the risk and raising the cost of committing the crimes, which is just what law enforcement is good at. In the end they can't ever really stop people from trying to rob banks, but they can make it really dangerous and costly, just as they always have tried to."

"Recommended For You"

ISPs should quarantine infected computers, researchers say RSA: As Storm fades, botnet fight goes on