Battling botnets

In the world of computer security, botnets continue to be a nasty scourge. These are vast groups of ordinary, personal computers that have been infected with malware, almost always unbeknownst by their owners, which then can be controlled remotely to infect, attack, or steal information from other computers.

Earlier this month, Damballa, a computer security firm, found that the threat posed by mobile phone botnets is rapidly on the rise. In the first half of 2011, the company found that a large network of compromised Android mobile phones topped out at 20,000. Most of the time, it is difficult for law enforcement and governments to prosecute botnet organizers as their geographic location is hard to track down. Even on occasions when the perpetrators can be found, often they are in places like Russia, China or other locations where pursuing legal action against them is near impossible.

However, this week, an Iranian doctoral student from the Delft University of Technology, in the Netherlands, presented new research on "The Role of [Internet Service Providers] ISPs in Botnet Mitigation." Hadi Asghari spoke at the "Internet Security Days" conference, held earlier this week in Brühl, just outside of Cologne, Germany. Deutsche Welle caught up with him just after his presentation.

Deutsche Welle: How would you summarize your research?

Hadi Asghari: The question we have been researching for the past two years, is: whether this can actually make a difference? This sounds like a theoretically good idea. We have been researching whether ISPs are critical points and if they have discretion. We looked at 200 ISPs worldwide, these are all legitimate, brand-A ISPs, across 40 countries and across a five-year period. We started to see how different these ISPs are with respect to the number of infected users in them.

We found that sometimes with ISPs of similar size, say, both with five million subscrbers there is 100 times difference in terms of affected users. So you might have 10,000 infected users or one million affected users. We found that 60 percent of bots are on located on these 200 ISPs.

So why is this important? They say that in the Internet, there are tens of thousands of ISPs, it's lots of networks connected to each other. We found out that only 200 core economic players, they control 60 percent of this problem.

These are the top five-to-ten companies in each country. You can sit down with them at a negotiating table to talk to the government.

Normally we associate botnets with countries that are more closed off -- like Russia, China, maybe Iran. That's where it would not be in the Russian government's interest to go after these botnets, and it's hard for the German, Dutch or American governments to go after them.

Right. I can say it like this: Maybe the malware was written in these countries and maybe the command and control servers are in these countries. So in that sense, we can't go after those guys. But the actual victims and the actual bots are in places like Germany and the US. There are lots of things that can be done at this point. So, for the governments, they can't do anything about the [point of origin] but they can do something about the ISPs.

Ok, so you've come up with this result, that botnet activity is very widespread across major ISPs in 40 countries around the world. So what do we do about it?

I think this is a country-by-country decision. In the Netherlands, for example, it was interesting. The governmental agency that contracted us to do this research was the Ministry of Economic Affairs. Not Internal Affairs, not Defense. They have an incentive to do something. Now they know that the ISPs can do something. One of things that they're doing, is the threat of regulation. They're telling the ISPs: ‘You have to do something. We don't know what, but you have to do something. Otherwise, we have to act and maybe we won't act in a good way because this is a very complex technology. You have a one-year period to do something about this.' In the Netherlands, 14 Dutch ISPs have signed an agreement and are sharing data about this. It is also in the interest of the ISPs to do something about this.

But doing something would mean what? If you see suspicious activity, shut down the connection?

You can take different steps. You can inform the user by e-mail, but there are limitations because you don't know if it's legit or not. In Japan, they send out postal mail to the user and it's shown to be very effective because people take the postal mail very seriously. And in serious cases you can shut down the connection and tell the user that they need to get some cleaner tools.

In Germany since last year, this "botfrei" initiative has started, and a number of ISPs are part of this. You are directed to a particular website when you have been infected. There you can download a bunch of cleaning tools. After these initatives, Germany went from number two to number eight.

What has Germany been doing in terms of notification?

They have been sending e-mails.

It seems like this is a step in the right direction, no?

Yes. But there are some costs involved, even though, as I said, the ISPs they benefit if their network is not sending out malicious traffic. One of the costs is that they are sometimes reulctant to tell a user that they have a problem, because then the user might call them and ask what he or she should do about it. Then they have to spend one hour of a paid employee's time to explain how to fix it, and then maybe they lose money on that customer.

These nice initiatives can be combined. In South Korea there is a phone number, I think it's 118.

So it's government tech support?

Exactly. They will explain to you, in detail, how to clean up your system.

What do you think of that? Is that the gold standard?

It's tricky to tell, because as an academic person, I cannot judge on that. It's up to policymakers how they spend their money and this is the place where lots of negotiations are going on.

Interview: Cyrus Farivar
Editor: Stuart Tiffen