MAAWG Offers Botnet Guidelines

By Stephanie Jordan
in

This month our friends at Messaging Anti-Abuse Working Group (MAAWG) published new best practices to help ISPs deal with bot infections on customer computers. While these guidelines are targeted at the consumer level, it is heartening to see the messaging community cooperate and come together to develop the suggestions.

In an interview from last fall Michael O’Reirdan, chairperson of MAAWG, acknowledged that botnets were not just a consumer problem. “Botnets exist on corporate networks just as they exist on the residential networks run by the ISPs. They are quite discriminating. A bot sitting on a corporate network is going to be worth more than sitting on a residential network, and one sitting on a military network is worth even more.”

O’Reirdan went on to talk about the business of botnets. “There is a whole underground economy out there that goes from the people that write the code (sort of like the gun makers) all the way through to the people that deploy the code, people that rent time on botnets, people involved in the laundry of cash that is generated and finally the delivery of goods. The whole thing is a business. A lot of the bots come with technical support, customer service, even refunds if you do not get the value for your money. It is a parallel economy and it is turning over an enormous amount of money.”

The newly released guideline, MAAWG Common Best Practices for Mitigating Large Scale Bot Infections in Residential Networks (Version 1.0), is meant to try to stem the tide of bot infestations that are contributing to spam and online fraud. According to MAAWG, bots — malware running on users’ computers without their knowledge — are responsible for generating up to 90 percent of spam and can also be used to steal personal information or take part in DDOS (distributed denial of service) attacks. While the best practices outline strategies used by some of the largest ISPs worldwide, they were also developed to be scalable for smaller network operators and to consider legal and process differences among countries.

“Bots are a global affliction and these best practices are an important step in educating the industry on the appropriate processes to help protect consumers,” believes O’Reirdan.

The best practices outline various options for alerting customers when their computers are infected and offers suggestions for helping end-users clean their systems. The paper discusses bot detection methods, customer notification, and the use of walled gardens to limit infected machines’ exposure to the Internet.

Among the recommendations:

•            While protecting users’ privacy, network operators can use various tools to detect infected end-user computers, including DNS, scanning the IP space to identify vulnerable computers, and collecting IP traffic information for known command and control addresses.

•            Email, phone calls to customers, postal mail and walled gardens are common notification tools, each with their own considerations. In-browser messages are considered to be among the most effective methods to alert customers but also can be technically challenging to implement.

•            ISPs need to maintain a well-publicized security portal that includes directions for end-user bot removal.

The paper also includes sample end-user messages and a list of malware detection and removal tools. MAAWG says that the best practices will continue to be revised to reflect new procedures and the evolution of new bots threats.

A survey MAAWG released in July found that about 80 percent of consumers are aware of bots, but only 20 percent believe they will ever be infected. The new bot mitigation best practices are part of the ongoing work at MAAWG to confront messaging abuse. Previously, MAAWG has published best practices for managing port 25, using walled gardens, sharing dynamic IP address space, email forwarding practices, and senders best communications practices, among other topics.

The MAAWG Common Best Practices for Mitigating Large Scale Bot Infections in Residential Networks is available for download on the MAAWG site. 

=

Eye on Messaging is written by Stephanie Jordan, editor in chief of Messaging News. If you have story ideas or news to share, email her: sjordan [at] messagingnews [dot] com

Published August 20, 2009