We're All Sheriffs in the Land of the Walking Dead: The Botnet Fight

Stephanie Jordan — Mon, 22 Nov 2010 18:36:26 +0000

“Wake up!” Or so one might want to shout at those enterprise network operators and IT managers who consistently act as if their operations were islands unto themselves. These are the mavericks that ignore industry best practices and go their own way, believing their networks immune to zombies or bot infections, and who disregard the lessons learned by their peers.

The sad reality is that we all suffer once zombies or bots find their way onto these susceptible networks or Web sites. The bot-delivered malware that ends up surreptitiously installed on users’ computers is a finely tuned parasite, capable of stealing valuable informational assets such as personal identity records or credit card numbers. The bot then turns the computer into an efficient spam machine, sending abusive email just under the network operator’s radar and often launching highly-targeted phishing expeditions—all without the computer owner’s permission or knowledge. Enterprises and their banking operations are being precisely targeted by malware such as Zeus and SpyEye, which is designed and, is very successful, in compromising banking credentials, thereby gaining access to corporate bank accounts and stealing millions of dollars.

Spam from bot-infected computers clogs the Internet and is often loaded with malicious code aimed at other unsuspecting users. According to metrics aggregated by the Messaging Anti-Abuse Working Group (MAAWG), almost 90 percent of all email traffic on the Internet is abusive. Together with social engineering and compromised Web sites, spam is one of the most important ways to get end-user machines compromised with malware.

Beyond the personal and business setbacks it spawns, abusive messaging also has become a huge budgetary drain. Ferris Research, Inc. estimated that spam cost the U.S. $42 billion in 2009. This is just slightly less than the $40 billion that globalissues.org calculates it would cost to provide universal access to basic social services in all developing countries. Ferris puts the worldwide outlay for spam last year at more than three times this amount, around $130 billion globally.

Given the scope of the problem, no one entity alone can stop bots or the resulting spam they generate. Creating a safe online environment is the responsibility of all of us who have an interest in the free exchange of information. This includes network operators and email providers, industry vendors, corporate networks, small business users, and yes, even end-users. We all have a role to play in protecting the Internet.

Taking a Stand

The first priority for end-users is to learn good computing habits and to understand the dangers inherent in spam. Half of the email users in North America and Western Europe opened or accessed spam last year, according to the 2010 MAAWG Email Security Awareness and Usage Survey. Tens of millions clicked on links or opened attachments that could leave their computers vulnerable to a bot. As long as users continue to interact with spam, and as long as spam remains a profitable commerce model, the cybercriminals will be open for business.

In some respects, battling spam and cybercrime is a never-ending arms race. As soon as the industry identifies a bot or a cleverly devised phishing scheme, the cybercriminals quickly morph the code or change their mode of operation, making the malware more difficult to detect. We have to remember that in the time of open source and Internet standards, the tools available to the good guys are just as easily used by the bad guys too.

Yet, there are definite remedies in sight. From the industry’s perspective, one of the best weapons in this battle is the development of generally accepted procedures and tactics. Industry best practices tackle the thorny issues that require a broad, consensus approach to problem solving. They incorporate the industry’s collective wisdom on avoiding common mistakes and how to provide a better online experience for users. Best practices are guidelines freely offered by the industry to be voluntarily applied within a relevant organization’s strategic and technical framework.

The question any enterprise or business should be asking is not if it should implement anti-abuse best practices. Given the enormous cost and risk associated with spam and bots, the question is why would an organization not make adopting best practices a priority? Many of these practices cost next to nothing to implement, in many cases just requiring simple configuration changes or minor modifications to working practices.

Best Practices Illuminate Industry’s Shared Knowledge

Industry associations like MAAWG bring together representatives from all perspectives to work out solutions to common problems. As a result, the best practices developed through MAAWG tend to be more balanced rather than advancing a specific company’s or business sector’s interests. For example, many of the bulk senders in MAAWG worked closely with our network operator members to understand all sides of the issues when developing the MAAWG best practices for email marketers. Likewise, ISPs talked with abuse desk professionals in developing the best practices for notifying users when they have a bot on their computer and in addressing other issues related to remediation of infected machines, which often are placed in walled gardens.

Best practices also help to clarify the processes and technological strategies proven to be most effective in combating abuse. They often spell out common steps abuse and IT managers can take to better serve end users. MAAWG recently issued the first best practices aimed at providers of Web messaging systems. Among the recommendations were several well-known tactics that might otherwise be undervalued by Web messaging developers, such as auditing user account metrics and requiring registration before users can post or send messages.

The outcome of the effort within organizations like MAAWG to develop best practices is that smaller enterprises or regional operators have access to the broader and more varied experience of larger companies. These larger operations, with access to more resources and higher R&D budgets to invest in anti-abuse strategies, willingly share their knowledge and expertise to help advance the industry.

The only way to take down zombies, bots and spam is through this type of socially responsible action. By working together to protect the Internet and users’ online experience, we all profit. To that end, we have all been deputized in the Internet posse.

—

About Michael O’Reirdan

Michael O’Reirdan is serving his third term as chairman of the Messaging Anti-Abuse Working Group (MAAWG), the industry’s largest global trade association that works against messaging spam, viruses, denial-of-service attacks and other online exploitation. Professionally, O’Reirdan is a Distinguished Engineer at a major ISP in North America with over 18 years of experience in the ISP field and with public facing messaging platforms. He has served on executive advisory boards for several major computer vendors and academic institutions and is active in other industry organizations.

What Can Users Do to Protect Themselves from Bots?

Stephanie Jordan — Fri, 18 Dec 2009 00:07:34 +0000

Every day there are news stories about bots and all the harm they cause. Bots are pieces of software, often called malware, which criminals surreptitiously install on computers to inflict harm, such as sending spam, stealing financial information or conducting DDOS attacks against other computers. Corporate PCs are tempting targets as they often have access to confidential company information. Recent cases of infected corporate PCs have been in the news with tales of large sums of money stolen from corporate bank accounts.

Your first line of defense against bots is having a basic foundation in place by making sure your operating system is current and secure. Known as patching the operating system, both Microsoft and Apple offer the capability to set your system options to automatically update the operating system to protect against recently discovered security issues. If the operating system is not updated with the latest patches, it will be susceptible to well publicized vulnerabilities.

Having patched the operating system, the next thing is to make sure that up-to-date anti-virus, anti-spyware and firewall packages are installed on the computer. This is more relevant to Windows-based machines, although the incidence of bots on Apple machines is slowly increasing as the market share increases. Bots are created with ROI in mind, and until recently, the best ROI has been to target the largest installed base of machines, which are those running Windows.

The anti-virus package also should be set to update itself regularly. The criminals who create bots habitually update their malware to evade anti-virus software, so in turn, the anti-virus package needs to be regularly updated with the newest defenses. In larger corporate environments, there may be a firewall or Web gateway as a first line of defense against malware, but this does not obviate the need for defending individual machines.

More insidious is the stealthy attack mounted against a company using social engineering techniques. Someone pretending to be an employee might ring a call center and ask for a password to be reset so they can access the corporate system. Alternatively, someone might leave a couple of USB keys lying around that have files with interesting names like “Q4 pay raises” on them. Once opened, these files will install malware on the machine and perhaps allow access to a company’s internal network. A brilliant yet simple social engineering campaign involved flyers with a URL referenced on them that were posted on the windshields of parked cars. Once accessed, the Web site infected vulnerable unpatched machines, allowing the attackers access.

Finally, do not overlook remote workers. They often use their own machines which may not be up to corporate security standards. Between 10 percent and 25 percent of all machines on broadband residential networks are infected with bots. If a remote machine is going to access the corporate network, either strictly limit access or ensure the machine is protected properly, as described above. Many remote workers also use wireless networks at home and these should be protected using encryption techniques such as WPA2.

—

Michael O’Reirdan is serving his second term as Chairman of the Messaging Anti-Abuse Working Group (MAAWG), the industry’s largest global trade association that works against messaging spam, viruses, denial-of-service attacks and other online exploitation. He also leads the organization’s Internet Service Providers Closed Colloquium, a MAAWG committee of international network operators. Professionally, Mr. O’Reirdan is a Distinguished Engineer at a major ISP in North America with over 18 years of experience in the ISP field and with public facing messaging platforms. He has served on executive advisory boards for several major computer vendors and is active in other industry organizations.

Michael O’Reirdan -- Chairman; Messaging Anti-Abuse Working Group (MAAWG)

We're All Sheriffs in the Land of the Walking Dead: The Botnet Fight

Taking a Stand

Best Practices Illuminate Industry’s Shared Knowledge

About Michael O’Reirdan

What Can Users Do to Protect Themselves from Bots?