We're All Sheriffs in the Land of the Walking Dead: The Botnet Fight
“Wake up!” Or so one might want to shout at those enterprise network operators and IT managers who consistently act as if their operations were islands unto themselves. These are the mavericks that ignore industry best practices and go their own way, believing their networks immune to zombies or bot infections, and who disregard the lessons learned by their peers.
The sad reality is that we all suffer once zombies or bots find their way onto these susceptible networks or Web sites. The bot-delivered malware that ends up surreptitiously installed on users’ computers is a finely tuned parasite, capable of stealing valuable informational assets such as personal identity records or credit card numbers. The bot then turns the computer into an efficient spam machine, sending abusive email just under the network operator’s radar and often launching highly-targeted phishing expeditions—all without the computer owner’s permission or knowledge. Enterprises and their banking operations are being precisely targeted by malware such as Zeus and SpyEye, which is designed and, is very successful, in compromising banking credentials, thereby gaining access to corporate bank accounts and stealing millions of dollars.
Spam from bot-infected computers clogs the Internet and is often loaded with malicious code aimed at other unsuspecting users. According to metrics aggregated by the Messaging Anti-Abuse Working Group (MAAWG), almost 90 percent of all email traffic on the Internet is abusive. Together with social engineering and compromised Web sites, spam is one of the most important ways to get end-user machines compromised with malware.
Beyond the personal and business setbacks it spawns, abusive messaging also has become a huge budgetary drain. Ferris Research, Inc. estimated that spam cost the U.S. $42 billion in 2009. This is just slightly less than the $40 billion that globalissues.org calculates it would cost to provide universal access to basic social services in all developing countries. Ferris puts the worldwide outlay for spam last year at more than three times this amount, around $130 billion globally.
Given the scope of the problem, no one entity alone can stop bots or the resulting spam they generate. Creating a safe online environment is the responsibility of all of us who have an interest in the free exchange of information. This includes network operators and email providers, industry vendors, corporate networks, small business users, and yes, even end-users. We all have a role to play in protecting the Internet.
Taking a Stand
The first priority for end-users is to learn good computing habits and to understand the dangers inherent in spam. Half of the email users in North America and Western Europe opened or accessed spam last year, according to the 2010 MAAWG Email Security Awareness and Usage Survey. Tens of millions clicked on links or opened attachments that could leave their computers vulnerable to a bot. As long as users continue to interact with spam, and as long as spam remains a profitable commerce model, the cybercriminals will be open for business.
In some respects, battling spam and cybercrime is a never-ending arms race. As soon as the industry identifies a bot or a cleverly devised phishing scheme, the cybercriminals quickly morph the code or change their mode of operation, making the malware more difficult to detect. We have to remember that in the time of open source and Internet standards, the tools available to the good guys are just as easily used by the bad guys too.
Yet, there are definite remedies in sight. From the industry’s perspective, one of the best weapons in this battle is the development of generally accepted procedures and tactics. Industry best practices tackle the thorny issues that require a broad, consensus approach to problem solving. They incorporate the industry’s collective wisdom on avoiding common mistakes and how to provide a better online experience for users. Best practices are guidelines freely offered by the industry to be voluntarily applied within a relevant organization’s strategic and technical framework.
The question any enterprise or business should be asking is not if it should implement anti-abuse best practices. Given the enormous cost and risk associated with spam and bots, the question is why would an organization not make adopting best practices a priority? Many of these practices cost next to nothing to implement, in many cases just requiring simple configuration changes or minor modifications to working practices.
Best Practices Illuminate Industry’s Shared Knowledge
Industry associations like MAAWG bring together representatives from all perspectives to work out solutions to common problems. As a result, the best practices developed through MAAWG tend to be more balanced rather than advancing a specific company’s or business sector’s interests. For example, many of the bulk senders in MAAWG worked closely with our network operator members to understand all sides of the issues when developing the MAAWG best practices for email marketers. Likewise, ISPs talked with abuse desk professionals in developing the best practices for notifying users when they have a bot on their computer and in addressing other issues related to remediation of infected machines, which often are placed in walled gardens.
Best practices also help to clarify the processes and technological strategies proven to be most effective in combating abuse. They often spell out common steps abuse and IT managers can take to better serve end users. MAAWG recently issued the first best practices aimed at providers of Web messaging systems. Among the recommendations were several well-known tactics that might otherwise be undervalued by Web messaging developers, such as auditing user account metrics and requiring registration before users can post or send messages.
The outcome of the effort within organizations like MAAWG to develop best practices is that smaller enterprises or regional operators have access to the broader and more varied experience of larger companies. These larger operations, with access to more resources and higher R&D budgets to invest in anti-abuse strategies, willingly share their knowledge and expertise to help advance the industry.
The only way to take down zombies, bots and spam is through this type of socially responsible action. By working together to protect the Internet and users’ online experience, we all profit. To that end, we have all been deputized in the Internet posse.
About Michael O’Reirdan
Michael O’Reirdan is serving his third term as chairman of the Messaging Anti-Abuse Working Group (MAAWG), the industry’s largest global trade association that works against messaging spam, viruses, denial-of-service attacks and other online exploitation. Professionally, O’Reirdan is a Distinguished Engineer at a major ISP in North America with over 18 years of experience in the ISP field and with public facing messaging platforms. He has served on executive advisory boards for several major computer vendors and academic institutions and is active in other industry organizations.
- IT Security
- Internet Privacy
- Messaging Security
- Email Security
- Mobile Security
- Internet Security
- Cloud Security
- Information Security
- Internet Privacy
- Privacy Protection
- Email Encryption
- Data Breach Protection
- Spam Filtering
- Virus Protection
- Botnet Detection
- Internet Worm Protection
- Social Business
- Managed IT Services
- Mobile Devices
- Disaster Management
- 1 of 277