The battle against groups of hacked computers known as botnets is suffering from a lack of coordination, resulting in a cybercrime industry worth more than US$10 billion worldwide annually, according to a report from a European Union security agency.
Although many researchers, security companies and governments are actively investigating botnets, there are still deficiencies in international cooperation, national laws and information sharing that have allowed botnet controllers to build robust networks, according to the report from the European Network and Information Security Agency.
“A shift in the motivation for the creation of malicious software has led to a financially oriented underground economy of criminals acting in cyberspace,” wrote ENISA, which studies European information security issues.
Computers become infected with botnet code via software vulnerabilities or other methods of attack, such as malicious e-mail attachments. Once a machine is infected, it can then be used without its owner’s knowledge for spamming, distributed denial-of-service attacks or other nefarious purposes.
The code used to infected the machines is often very robust, escaping detection from antivirus software. Those who control the herds of machines use many methods to stay anonymous, making it harder for security analysts and law enforcement to trace, although not impossible.
ENISA recommends providing incentives for key players who can intervene, such as ISPs. In Germany, a government-funded program helps ISPs put in place technology to identify subscribers whose computers appear to be infected and to take steps to clean them, said Giles Hogben, an expert program manager for security applications and service for ENISA.
“In the end, it’s not just your machine that suffers,” Hogben said. “You have a kind of social responsibility to keep your computer clean because it affects other people as well.”
The ISP business is typically low margin, so many have not spent the money on systems to remediate infected computers.
ENISA is also advocating more uniform cybercrime laws, which benefit nations seeking to cooperate and hand over cases to other jurisdictions. The only international treaty covering cybercrime is the 2001 Convention on Cybercrime, which is gradually gaining more ratification. The treaty requires changes to national laws and offers guidance on how nations can conform.
Those running botnets have been prosecuted, but that has been far from a consistent deterrent. “It’s a typical researchers versus bad guys battle,” Hogben said. “You have to make it more scary for the bad guys so they are really more likely to get prosecuted.”
The scale of the botnet problem has also been difficult to quantify due to the security industry’s tendency to under and overestimate the number of infected machines, with media typically defaulting to the larger estimates. Counting IP (Internet Protocol) addresses is not necessarily accurate due to dynamic IP address assignment.
Whether a botnet is small or large doesn’t necessarily dictate its effectiveness. A fairly small botnet can exact an effective attack. The attack executed against Visa by the group Anonymous earlier this year involved less than 1,000 computers, according to one estimate, Hogben said.
“Size isn’t everything,” Hogben said. “Even if you did know the number, it wouldn’t tell you much.”
Send news tips and comments to jeremy_kirk@idg.com