‘Digital Vaccine’ Needed To Beat Botnets

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

A government-backed vaccination scheme is needed to tackle the huge number of infected PCs, say researchers

Dutch researchers have called for a Government-backed digital vaccination program to disinfect the large numbers of PCs that have been inadvertently hijacked by botnets.

As well as governments, ISPs are also key to gaining control of infected machines which are under the contol of cyber criminals, according to a working paper for the OECD Directorate for Science, Technology and Industry, written by academics from the Delft University of Technology in Holland, along with one researcher from Michigan State University in the United States.

Spam Trap

Botnets (i.e. networks of machines infected with malicious software) are a critical security threat which must be addressed, said the paper, warning that user-installed software is not working:  “Measures that directly address the end users who own the infected machines are useful, but have proven insufficient to reduce the overall problem.”

The researchers gathered data on the location of infected machines by studying spam traffic, using a “spam trap.” This spam trap collected more than 109 billion junk mail messages between 2005 and 2009, and researchers were then able to analyse the resulting pool of 170 million unique IP addresses.

It found that around 80 – 90 percent of all spam is issued by infected machines. It said that its findings “lend direct and indirect support to the view that ISPs are important potential control points.”

This is because the researchers discovered that “networks of just 50 ISPs account for around half of all infected machines worldwide.”

ISPs Are The Key

“This is remarkable, in light of the tens of thousands of entities that can be attributed to the class of ISPs,” said the paper. “The bulk of the infected machines are not located in the networks of obscure or rogue ISPs, but in those of established, well-known ISPs. Not only do the legitimate ISPs harbour a large share of all infected machines, they also vary widely in their performance, which suggests that some have adopted more effective practices than others, even when operating under similar market and regulatory conditions.

These ISPs are geographically located across the world. The research also warned that the numbers of botnets in the wider OECD area are more or less stable, but in other countries “they are increasingly recruiting infected machines into the overall population of botnets.”

And it seems that even good ISPs are “likely tackling only a fraction of the bots.” The research also found that large ISPs have, on average, fewer infected machines per customer than smaller ISPs.

So What To Do?

The research found that Governmental efforts do actually seem to help reduce infection rates at ISPs, leading the researchers to advise that there are two principal options for policy intervention.

The first is to design measures that change the institutional and legal framework in which ISPs operate (e.g. measures supporting national and international law enforcement). The second option is to specifically target individual actors in the ICT system (e.g. end users, ISPs, software vendors, cybercriminals). Microsoft for example was successful earlier this year in closing 276 domains controlled by the Waledac botnet.

“These two options can also be combined in hybrid models, for instance public private partnerships in which both legal and corporate measures are pursued,” said the researchers in the paper.

Central Aid Required

Professor Michel Van Eeten from the Delft University of Technology, who lead the OECD-backed research, told the BBC that what was clear from the research  was that ISPs were not going to be able to clean up the large numbers of infected machines without some kind of central aid.

He said that in Holland, ISPs have dramatically increased their efforts but are still only cleaning up about 10 percent of infected machines. He pointed out to the BBC that at the moment, two bottlenecks are preventing ISPs doing more to clean up machines.

The first, he said, was the lack of comprehensive data about the numbers and location of infected machines.

“The second bottleneck is that it costs money to notify customers and get them to clean up their machine,” he said, because experts are usually required to do this.

He pointed out that countries such as South Korea and Germany have set up publicly funded national call centres to which ISPs can refer infected customers where they can get advice about disinfecting their machine.

“Governments can be very helpful,” said Professor Van Eeten, who said that the numbers and prevalence of botnets suggests we should perhaps see them as the modern-day equivalent of the epidemics that struck in Victorian times. This prompted the creation of government-backed vaccination schemes.

A similar system delivering a digital vaccine might again be part of the solution, he told the BBC.