Seen the spammer, and he is us

04/10/2008 21:10

Ever wonder where that spam comes from? It could be coming from you…

Many computers that become compromised with malicious software (also called malware: viruses, worms, spyware, etc.) are not being infected in a way that most people would think. Their hard drives remain intact, they aren’t plagued with popup ads, and their email contacts remain pristine. Instead, their computers become “zombies”: unwitting accomplices to high crimes and misdemeanors.

This malware installs a “bot” program (short for robot), allowing the computer to be remotely controlled across the internet. A group of computers controlled by a single person or group is known as a “botnet”, and the controller is call a “botnet herder” or “bot herder”. These networks can become enormous. The largest at the moment is called “Srizbi” and boasts over 315,000 bots with which it can send out and astounding 60,000,000,000¹ spam messages a day or can swamp a website with so much traffic that it’s unusable (known as a Distributed Denial of Service (DDoS) attack).

These botnets are big business; mafia type business. They cost next to nothing to run, and they sell their services to the highest bidder to send out spam (which can contain other malware) and attacked specified websites. Recently, they have even begun getting into the extortion racket by sending messages to website administrators to pay up or else.

How the bots are installed is not a mystery. The vast majority of bots are installed through well known, and fixed, vulnerabilities in common software. It may be a problem with Windows, or Adobe Acrobat Reader, WinZip or even Apple’s QuickTime. All software has issues that were unforeseen by the original programmers, and must be kept up to date to function properly. Most reputable software companies offer a means of patching their software to fix these issues, but many vendors require these patches be manually downloaded and installed.

In a managed network environment, this is task is usually handled by the Information Technology (IT) or Information Systems (IS) department. Long having recognized this issue, this task is largely automated and happens behind the scenes. Large software vendors such as Microsoft and Adobe have built in mechanisms for updating their software, and there are numerous means of pushing out patches and updates to managed computers.

Because managed systems are typically fairly up to date with patches, it’s the small office and home computers that have become the focus of this infestation. The combination of non-technical users, no dedicated IT staff, and always on high speed internet connections makes them a prime target. And most of the time, the users are unaware that they are infected and that they are a threat to others on the internet.

While law enforcement and major software vendors seem to be making headway against this threat, it’s just too lucrative with too little risk not to flare up somewhere else. The FBI and the police in New Zealand (https://news.bbc.co.uk/2/hi/technology/7120251.stm) recently arrested an 18 year old bot herder, and Microsoft’s Malicious Software Removal tool, which runs with Windows Update (turned on by default), can detect and remove many of the bots.

For the first time, there is serious discussion about turning off internet access for computers that are not properly patched, for the public good¹. Think of it as quarantining anyone who could get a disease. This places the responsibility squarely on the shoulders of the small office and home users to have a minimum level of skill and knowledge necessary to operate their computer safely on the internet.

Although this type of solution has always been bandied about as a half joking ultimate weapon against malware, it shows the level of frustration that the technical community is having with the increasingly non-technical internet community. The degree to which a technology becomes more user friendly, reliable, and inexpensive is inversely related to the level of technical knowledge necessary to safely operate it.

This democratization of the internet is a good thing, and it is not unique in the evolution of a technology. I can’t help but wonder if this frustration was felt by early drivers when the automobile became user friendly, reliable, and inexpensive enough for the masses. Suddenly anyone, regardless of their knowledge of the inner workings of the engine and understand of the rules of the road, could jump behind the wheel. Eventually, driving requirements were enforced to verify that drivers had the minimum of skill and knowledge necessary to operate a motor vehicle safely on the roads. Hmm…

That being said, it is extremely doubtful that this particular solution would, or could, be implemented on the internet as a whole. Large organizations are able to enforce this type of compliance, known as NAC (Network Access Control) because they own and control the network, the hardware, and the software. So if an organization chooses to force computers to run Application A with at least Patch 3, and to turn off or redirect access for computers with Application A with Patch 1, they have every right to do so; it’s their property. However, with the internet as a whole, the ISPs do not own the hardware and software: you do. The ISPs only own the network after it leaves your home or office.

Aside from the legal considerations, this would simply be too expensive for the ISPs to implement. Even if they just wanted to implement enforcement of anti-malware software, just think of the number of different vendors and versions they would have to keep up with, not to mention the infrastructure necessary to scan all connecting computers.

What would be possible would be to block offending computers, ones that have already been infected and are busy spamming the world. Centralized anti-spam services such as Spamhaus or Postini already perform a similar service with email. They list the IP address of known spammers so an email server knows which connections to block. While far from a perfect solution, it does allow servers to reject billions of spam messages a day keep the level of spam semi-manageable. Blocking the computers at the source would not only cut off these botnets at the knees, but alert the users that there is a problem that needs fixing.

To avoid the policing of the internet, home and small office users need to follow some general best practices:

• Firewall: Install firewalls (not a routers) that at least do “stateful packet inspection”. On a network (multiple computer sharing an internet connection), have a dedicated device or server between the computers and the internet. On the computers, run a software firewall program such as one provided by the operating system or one provided by your anti-malware vendor.
• Anti-malware software: run current versions of reputable anti-malware software
• Anti-malware definitions: make sure your anti-malware software is updated with the latest virus, adware, and spyware definitions
• Update all software regularly. Turn on automatic operating system updates, and check your office suite vendor’s website regularly for patches. Put a reminder on your calendar to check on your other programs regularly
• If you don’t need it, don’t install it. Then you don't have worry about updating it
• Follow safe browsing practices
• Follow safe communications practices (email, IM, social sites, etc.)

-J-

¹   https://www.networkworld.com/news/2008/040908-rsa-as-storm-fades-botnet.html?fsrc=rss-security