Watching modern botnets grow and form themselves into the equivalent of a raging horde of cyber delinquents, I come to wonder why is it that we cannot find a way through the threads of privacy concerns to offer a ray of hope in helping re-introduce these hordes back into society? So here is the deal that I see happening … those with nafareous intent are building software to seek out unsuspecting victions, the modern consumer, who don’t have the latest security patches or software (http://www.nytimes.com/2008/12/06/technology/internet/06security.html?_r=1). Without regard for any sort of rules or guidelines, virus and worm developers inject software into the Internet that replicates and self-organizes large scale botnets waiting for action on the scale of millions of systems. Corporations cringe at the notion of the botnets being sold to high bidders to take action against critical infrastructure. We spend millions of dollars to build defenses in front of every critical network lying in wait for the attack to occur. Even with the best of defenses, many networks will wither.
When we have a virus like the flu infecting the country, we don’t let it spread and lie in wait at hospitals for the sick to show up, we try and stay ahead of it and keep the population healthy and infected. Likewise, when gangs grow and get out of hand, we don’t wait for their attacks, we try and introduce youth counselors, come up with better activities for them to do like midnight basketball and re-introduce them back into society as productive members. So while we wait for operating system vendors to patch holes and users to buy and update security products many botnets are growing to the tens of millions in size. So why is that that we avoid one of the most efficient means to restore a civilized Internet? If we can understand how the botnets work, and what systems a botnet has exploited based upon a vulnerability, why can we not simply spread the antidote in much the same way? Years ago doctors introduced the concept of kids playing tag to pass germs to build up immune systems, isn’t this the Internet equivalent?
A recent BBC team used a botnet for some research and the backlash was large (http://news.bbc.co.uk/1/hi/programmes/click_online/7932816.stm). To some this sounds like becoming part of the problem and just another way to make the problems worse. As I sit here and watch the threats on the Internet over the last decade, I can’t help but see a trend that shows it getting worse at the speed of innovation by the malcontents and the anti-virus, anti-spyware, anti-whatever is next software distribution to clients has already ensured a war for supremacy is raging on. Last time I checked, those who didn’t realize their systems were getting infecting haven’t been spending much time to fix it, just like those whom are happy being social renegades don’t spend a lot of time pro-actively reforming. At some point, we need to reach out more than just suggesting that broadband customers download free anti-virus.
Too bold for us to consider? Will this always be the demise of the security? Is there a better way?
Loading ...
“If we can understand how the botnets work, and what systems a botnet has exploited based upon a vulnerability, why can we not simply spread the antidote in much the same way?”
This is not a new idea and reminds me of certain ‘anti-virus virus’ bootsectors that were commonplace on those venerable late 80′s/early 90′s machines – the Atari ST and the Commodore Amiga. These were bootsectors that spread like viruses, specifically targetting known viruses and ‘immunising’ new floppies against infection, effectively by simulating an infection.
The problems with these soon became apparent. Firstly, they sometimes made mistakes, and ‘immunised’ disks that were not meant to be modified – usually games, but often demos as well. Such pieces of software had clever loaders and bootsectors that would create a false positive and after immunisation they would become corrupted and non-functional.
The second (and probably more relevant to today) was that the ‘good’ viruses contained functional replication code which provided the bad guys with a really nice starting point… by reverse engineering the anti-virus viruses, you could insert a real payload and suddenly you had a wealth of new viruses appear which were variants of that common theme.
Mapping that onto today’s world, this leaves two main challenges as I see it. Firstly, if a ‘good’ botnet was to start tracking down and cleaning up infected hosts, who is to blame if something goes wrong and problems arise.. problems that may range from minor data corruption through data loss and potentially system disablement. The evil botnetter doesn’t care, they’ll just go for it. The good guys, on the other hand surely have some duty of care (and ultimate responsibility) for the results of their code being deployed on peoples systems.
The second challenge is one of reverse engineering / hijacking. One thing that does seem pretty certain is that many of the botnets are actually running very sophisticated software, and certainly Conficker C looks to be right up there (interestingly, at the time of writing the payload kicks off today, April 1). What could be the consequences of similar quality code, developed by government/sanctioned organisation/whoever being ‘cracked’ and turned into something malevolent?
I guess the problem is as much political and moral as it is technical. For sure, something will have to be done otherwise the logical conclusion is that the entire Internet becomes a playground for malware. Some would say it already is, but it looks as if it can only get worse.
I’m not sure I have the answers, but certainly the article raised some interesting questions in my head.
Eddy.