Botnets

Yesterday, the Washington Post reported on the FBI’s “Operation Bot Roast,” which busted several criminal users of botnets: _James C. Brewer, of Arlington, Texas. He was indicted Tuesday on charges of infecting more than 10,000 computers globally, including two Chicago-area hospitals operated by the Bureau of Health Services in Cook County, Ill. The computers at the two hospitals were linked to the health care bureau’s mainframe system. They repeatedly froze or rebooted from October to December last year, resulting in delayed medical services, according to the indictment. Brewer was released on a $4,500 bond, court records show. ...

My two-part appearance on “The Security Catalyst” podcast last year has resulted in some media coverage of botnets this week at IT World Canada. The article, “The botnet menace–and what you can do about it,” by Joaquim P. Menezes, is more detailed than most media coverage of bots has been. He draws on both my Security Catalyst interview and my colleague Bob Hagen’s blog post on bots.

Bob Hagen has put up a post on the evolution of botnets at the Global Crossing blog. (BTW, I’m hoping to have future opportunity to use titles like “Where the bots are”, “The bots from Brazil”, and “The bots of summer”.) UPDATE (August 27, 2009): I’ve replaced the above link with one to the Internet Archive, since the blog post is no longer present at its original location.

Gadi Evron has now suggested, following Paul Vixie, that it’s a waste of time to fight botnets by shutting down botnet controllers. Here’s what I wrote to some colleagues when I read Vixie’s statement that stomping out botnets is not only a waste of time, but counter-productive because it causes botherders to change their behavior and find new malicious techniques: 1. If you don’t stomp them they are still going to develop new ways of doing things as a result of internal competition. It may happen more slowly, but it will still happen. There’s no getting around an arms race. Even taking his analogy seriously, he wouldn’t recommend that we stop using antibiotics. 2. Waiting on law enforcement to start effectively prosecuting will take a long time, and I don’t think I’ll be happy with what it will take for them to do it (I’m already unhappy with the new CALEA draft bill that’s circulating). Criminal prosecution will likely never target more than a minority of offenders–mostly the high-profile cases. 3. Taking action raises their costs, which applies more broadly the same economic effect as prosecution does in a narrower and stronger manner. Again, if we take the antibiotic analogy seriously, a diversity of approaches is better than relying on a single approach. 4. Our experience seems to indicate a drop in botnet controller activity when we hit them consistently. If the bulk of miscreants follow the path of least resistance, putting up a fight will tend to push them to environs where people aren’t putting up a fight.Shutting down botnet controllers does have positive effects–and it’s much quicker and reliable than law enforcement prosecution. I think a diversity of defensive actions is important, and we need to continue developing more of them–as I said above, it is a continuing arms race. Richard Bejtlich has also commented on this subject at his TaoSecurity blog, and there’s some good discussion in the comments. David Bianco has offered a suggestion at the InfoSecPotpourri blog. Bianco’s suggestion is to modify the botnet C&C traffic, which in order to be most effective would have to occur at either large consumer ISPs (where 99+% of the bots are located) or at a small number of high-volume, low-cost webhosting companies (where 75+% of the botnet controllers are located). There are a number of approaches that are being developed, which I won’t describe in any detail here, but I agree that new approaches need to go more strongly after the bots themselves rather than just the botnet controllers. Those approaches need to use Netflow, and they need to use DNS. We also need to provide incentives for consumers with old, unpatched, vulnerable systems to protect themselves and to be protected by their ISPs–that’s where the biggest bang for the buck will occur.

While thinking about Jonathan Adler’s presentation at the Skeptics Society conference, it occurred to me that the problem of botnets is, in effect, a tragedy of the commons. The private personal computers of consumers which are connected full-time to the Internet and are not kept up-to-date on patches have, in effect, become a commons to be exploited by the botherders. The owners of the computers are generally not aware of what’s going on, as the bots generally try to minimize obtrusiveness in order to continue to operate. The actual damages to each individual are typically quite small (with some notable exceptions–botherders can steal and make use of any data on the machine, including personal identity information and confidential documents), and the individual consumer doesn’t have sufficient incentive to prevent the problem (say, by spending additional money on security software or taking the time to maintain the system). Similarly, the typical entry-level casual blogger may not have incentives to keep their blogs free of spam comments. Neither, for that matter, does commons-advocate Larry Lessig, whose blog’s comments are full of spam, making them less useful than they otherwise would be–I think this is an amusing irony about Lessig’s position in his book Code. He argues that we need to have some subsidized public space on the Internet, but it seems to me private companies have already created it largely without public subsidy, and I think Declan McCullagh has the better case in his exchange with Lessig. (By contrast, Blogger does have incentive to prevent spam blogs, which consume large amounts of its resources and make its service less useful–and so it takes sometimes heavy-handed automated actions to try to shut it down.) Bruce Schneier has argued that the right way to resolve this particular problem is by setting liability rules to shift incentives to players who can address the issue–e.g., software companies, ISPs, and banks (for phishing, but see this rebuttal). I agree with Schneier on this general point and with the broader point that economics has a lot to teach information security.

This post is an index to posts at The Lippard Blog on the subject of information security. This is probably not a complete list; I’ve tended to exclude posts labeled “security” that don’t specifically touch on information security and may have over-excluded. “Richard Bejtlich reviews Extreme Exploits” (August 16, 2005) Link to Richard Bejtlich review of Extreme Exploits, a book I was the technical editor on. “Sony’s DRM–not much different from criminal hacking” (November 2, 2005) Summary and link to Mark Russinovich’s exposure of the Sony rootkit DRM. “Defending Against Botnets” (November 3, 2005) Link to my presentation on this subject at Arizona State University. “Sony DRM class action lawsuits” (November 10, 2005) Comment on the Sony rootkit class action lawsuits. “Another Botnet Talk” (December 11, 2005) Comment on my December botnet talk for Phoenix InfraGard, with links to past botnet presentations. “Major flaw in Diebold voting machines” (December 23, 2005) A flaw that allows preloading votes on a memory card for Diebold voting machines in an undetectible way. “The Windows Meta File (WMF) exploit” (January 3, 2006) Description of an at-the-time unresolved Windows vulnerability. “New Internet consumer protection tool–SiteAdvisor.com” (January 25, 2006) Report on SiteAdvisor.com tool (now a McAfee product). “Pushing Spyware through Search” (January 28, 2006) Ben Edelman’s work on how Google is connected to spyware by accepting paid advertising from companies that distribute it. “Database error causes unbalanced budget” (February 17, 2006) How a house in Indiana was incorrectly valued at $400 million due to a single-keystroke error, leading to wrongly increased budgets and distribution of funds on the expectation of property tax revenue. “The Security Catalyst podcast” (February 18, 2006) Announcement of Michael Santarcangelo’s security podcast. “Controversial hacker publishes cover story in Skeptical Inquirer” (February 19, 2006) Critique of Carolyn Meinel’s article about information warfare. “Even more serious Diebold voting machine flaws” (May 14, 2006) Hurst report on new major flaws found in Diebold voting machines. “Botnet interview on the Security Catalyst podcast” (May 23, 2006) Link to part I of my interview on botnets with Michael Santarcangelo. “Part II of Botnets Interview” (June 4, 2006) Link to part II of my botnets interview. "‘Banner farms’ and spyware" (June 12, 2006) Ben Edelman’s exposure of Hula Direct’s “banner farms” used to deliver ads via spyware. “When private property becomes the commons” (June 12, 2006) Consumer PCs as Internet “commons,” economics and information security. “Network security panel in Boston area” (June 12, 2006) Announcement of a public speaking gig. “Identity Crisis: How Identification is Overused and Misunderstood” (July 6, 2006) Quotation from Tim Lee review of book by Jim Harper with this title. “9th Circuit approves random warrantless searches and seizures of laptops” (July 28, 2006) Bad decision granting border police the right to perform full forensic examination of the hard drives of laptops carried by people wanting to cross the U.S. border. “Is it worth shutting down botnet controllers?" (August 18, 2006) A response to remarks by Gadi Evron and Paul Vixie that it is no longer worth shutting down botnet controllers. “The ineffectiveness of TRUSTe” (September 29, 2006) A larger proportion of sites with TRUSTe certification are marked as untrustworthy in SiteAdvisor’s database than of those that don’t have TRUSTe certification. “The U.S. no-fly list is a joke” (October 5, 2006) The no-fly list has major flaws, listing people who aren’t a threat and not listing people who are–and presuming that terrorists will be identifiable by their names. “How planespotting uncovered CIA torture flights” (October 20, 2006) How an unusual hobby allowed for traffic analysis to uncover CIA torture flights. “Point out the obvious, get raided by the FBI” (October 29, 2006) Chris Soghoian gets raided by the FBI after putting up a web page that allows generation of Northwest Airlines boarding passes. “Electronic voting machines in Florida having problems in early voting” (October 31, 2006) A report on voting machines registering votes for the wrong candidate due to touch screen calibration issues. “The Two Faces of Diebold” (November 5, 2006) The difference between the public and private versions of SAIC’s report on Diebold voting machine vulnerabilities. “FBI eavesdropping via cell phones and OnStar” (December 4, 2006) Reports of vulnerabilities in newer cell phones that allow them to be used as listening devices even when powered off. “Time to Stop Using Microsoft Word” (December 7, 2006) New unpatched malicious code execution vulnerability in most versions of Word. “Staffer for Congressman tries to hire hacker to change grades” (December 22, 2006) Todd Shriber’s failed attempt to retroactively improve his college career. “My bank is on the ball” (January 6, 2007) My bank prevents theft of my money. “Skeptical information and security information links” (January 23, 2007) Promotion of my security links and skeptical links sites. “Schoolteacher convicted on bogus charges due to malware” (February 4, 2007) Connecticut teacher Julie Amero successfully prosecuted for showing porn to kids, when in fact it was the result of malware on a machine the school district refused to pay for antivirus software on. “McCain proposes an unfunded mandate for ISPs” (February 7, 2007) McCain sponsors a bill to force ISPs to scan all traffic for and report child porn images they find. “Warner Music: We’d rather go out of business than give customers what they want” (February 9, 2007) Warner Music says no way to DRM-free music. “The economics of information security” (February 13, 2007) Ross Anderson and Tyler Moore paper on the economics of infosec. “How IPv6 is already creating security problems” (February 19, 2007) Apple AirPort allows bypass of firewall rules via IPv6. “Windows, Mac, and BSD Security” (March 8, 2007) Amusing video parody comparing the OSes. “Bob Hagen on botnet evolution” (March 9, 2007) My former colleague on trends in botnets. “The rsync.net warrant canary” (March 25, 2007) How rsync.net will communicate whether it receives a National Security Letter without breaking the law. “FBI focus on counterterrorism leads to increase in unprosecuted fraud and identity theft” (April 11, 2007) The law of unintended consequences strikes again. “Banning the distribution of AACS keys is futile” (May 3, 2007) You can’t stop the communication of a 128-bit number as though it’s proprietary. “CALEA compliance day” (May 14, 2007) Commemoration of the day that VoIP providers have to be CALEA-compliant. “Spying on the homefront” (May 14, 2007) PBS Frontline on FBI misuse of National Security Letters and NSA eavesdropping. “The bots of summer” (June 6, 2007) Report on some media coverage of my botnet interview with the Security Catalyst from 2006. “Microsoft’s new Turing Test” (June 12, 2007) It’s not often I get to combine animal rescue and information security topics, but this is one–using animal pictures to authenticate. “Operation Bot Roast” (June 14, 2007) FBI prosecution of some botnet people. “Google thinks I’m malware” (July 13, 2007) Google stops returning results to me in some cases because my behavior looks like malware activity. “Asking printer manufacturers to stop spying results in Secret Service visit?" (July 14, 2007) MIT Media Lab project to get people to complain to printer manufacturers about their secret coding of serial numbers, which got one person a visit from the USSS. “A marketplace for software vulnerabilities” (July 29, 2007) WabiSabiLabi’s abortive attempt to create a market for the sale and purchase of vulnerability information. “Another Sony rootkit” (September 5, 2007) F-Secure finds another Sony product that installs a rootkit–the Sony MicroVault USM-F memory stick (now off the market). “Anti-P2P company suffers major security breach” (September 16, 2007) Media Defender gets hacked. “Microsoft updates Windows XP and Vista without user permission or notification” (September 17, 2007) Nine executables get pushed to everybody even if Windows update is turned off–except for corporate SMS users. “Lessons for information security from Multics” (September 19, 2007) Paul Karger and Roger Schell’s paper on Multics gets attention from Bruce Schneier. “Hacker finds vulnerability in Adobe Reader” (September 24, 2007) The era of attacks on applications rather than OS’s gets a boost. “Break-in at CI Host colo facility” (November 4, 2007) The role of physical security for websites. “Spammers and criminals for Ron Paul” (November 6, 2007) Botnets used to send spam promoting Ron Paul. “Macintosh security lags behind Windows and BSD” (November 8, 2007) Rundown on new Mac security features, some of which are negative in effect. “Multics source code released” (November 13, 2007) Multics becomes open source. “Untraceable looks unwatchable” (December 18, 2007) A post that generated a huge amount of response, about the Diane Lane movie that flopped at the box office, before it came out. “Notorious major spammer indicted” (January 3, 2008) Alan Ralsky may actually get what he deserves. “Boeing 787 potentially vulnerable to passenger software-based hijacking” (January 8, 2008) Passenger Internet access for the Boeing 787 is physically connected to the network for communication and navigation. "‘Anonymous’ launches ‘war’ against Scientology” (January 22, 2008) Denial of service attacks and other pranks against Scientology. “Tinfoil hat brigade generates fear about Infragard” (February 8, 2008) Response to Matt Rothschild’s article in The Progressive claiming that InfraGard members have the right to “shoot to kill” when martial law is declared. “FBI responds to ‘shoot to kill’ claims about InfraGard” (February 15, 2008) Commentary and link to the FBI’s response to Rothschild. “Malware in digital photo frames” (February 17, 2008) Viruses in unusual digital storage locations. “Canada busts 17 in botnet ring” (February 21, 2008) News about law enforcement action against criminals in Canada. “More InfraGard FUD and misinformation” (February 23, 2008) Response to Gary Barnett’s InfraGard article at the Future of Freedom Foundation website. “New Mexico InfraGard conference” (February 24, 2008) Summary of the New Mexico InfraGard’s “Dollar-Gard 2008” conference. “Pakistan takes out YouTube, gets taken out in return” (February 25, 2008) Yesterday’s events of political and/or religious censorship gone awry in Pakistan. “Jeremy Jaynes loses appeal on spamming case” (March 1, 2008) The Virginia Supreme Court upholds Virginia’s anti-spam law. “Software awards scam” (March 25, 2008) Many software download sites give out bogus awards. “Scammers scamming scammers” (April 7, 2008) Marco Cova looks at what some phishing kits really do. “Bad military botnet proposal” (May 13, 2008) A response to Col. Charles Williamson’s proposal to build a military botnet. “MediaDefender launches denial of service attack against Revision3” (May 29, 2008) Anti-P2P piracy firm crosses the line and attacks a legitimate company. “San Francisco’s city network held hostage” (July 19, 2008) Some actual facts behind the hyped charges against the city’s network administrator. “Did Diebold tamper with Georgia’s 2002 elections?" (July 20, 2008) Some troubling information about Diebold’s last-minute patching on Georgia election machines. “Expert tells China visitors to encrypt data as U.S. announces policy of laptop seizure” (August 1, 2008) Concerns about privacy in both China and the U.S. “Military botnets article” (August 28, 2008) Peter Buxbaum’s article on “Battling Botnets” in Military Information Technology magazine. “Virginia Supreme Court strikes down anti-spam law” (September 12, 2008) Julian Jaynes goes free as Virginia’s anti-spam law goes away. “Sarah Palin’s Yahoo account hacked” (September 17, 2008) Palin’s Yahoo account is hacked, and the contents published. “TSA airport security is a waste of time and money” (October 18, 2008) Link to Jeffrey Goldberg’s article in The Atlantic. “Behind the scenes during the election process” (November 6, 2008) Both major party presidential nominees suffered computer compromises. “White House may be forced to recover ’lost’ emails” (November 14, 2008) Lawsuit may require recovery from backups. “Criminal activity by air marshals” (November 14, 2008) Multiple cases. “PATRIOT Act NSL gag order unconstitutional” (December 19, 2008) Recipients of National Security Letters now can’t be gagged without court order. “The U.S. Nazi dirty bomb plot” (March 15, 2009) A little-covered story about a real terrorist plot. “The Cybersecurity Act of 2009” (April 4, 2009) It’s not as bad as it appears. “Tracking cyberspies through the web wilderness” (May 12, 2009) How University of Toronto researchers have tracked online spying activity. “Bad military botnet proposal still being pushed” (June 26, 2009) Col. Williamson’s proposal to build an offensive U.S. military botnet is still being promoted by him. “DHS still a mess, five years on” (July 16, 2009) Center for Public Integrity review of DHS. “How Twitter got compromised” (July 23, 2009) TechCrunch gives the anatomy of the attack on Twitter.

Part II of my interview on Michael Santarcangelo’s Security Catalyst podcast is now available. (Part I is here.)

I did an interview over the weekend with Michael Santarcangelo of the Security Catalyst about botnets. Part I of that interview is available now as a podcast (you can subscribe via Yahoo or iTunes). UPDATE: Part two is here.

I’m giving another talk tomorrow on botnets, this time for the Phoenix chapter of Infragard, the FBI-sponsored 501(c)(3) that is devoted to public sector/private sector partnerships to protect national infrastructures. While Infragard has primarily focused on information technology, they are broadening their focus to include things like agriculture and food distribution, energy production and transmission, chemical plants, etc. This is an update for those who attended my April 2004 Infragard talk, and includes new material that hasn’t been in any of my past botnet talks (for ASU, HTCIA, ATIC, FRnOG, and the Phoenix and Rochester, NY chapters of Infragard).

My presentation on “Defending Against Botnets” for ASU’s Computer Security Week is online in streaming video and MP3 audio formats. Unfortunately, the audience was quite small. ASU’s Polytechnic Campus is way out east of Phoenix, on the former Williams Air Force Base which ASU purchased and turned into its east campus. It doesn’t appear that it has a very large student population yet. I was amused that the streets are named after military figures. To get to the Student Union I drove on a street called Twining, named after General Nathan Twining. Twining is a name well-known to UFO enthusiasts, as his name was used on one of the forged “MJ-12” documents known as the Cutler-Twining memo, and also authored a genuine document that discusses UFOs (and is often misinterpreted by UFO advocates as claiming that crashed saucers have been recovered). My talk was followed by a talk on Wireless Security by Erik Graham of General Dynamics, which covered threats and defenses for 802.11 and Bluetooth.