Botnets are networks of ordinary computers silently hijacked by criminal organisations. They are the cybercriminal’s weapon of choice for serious attacks threatening Europe’s economy and the privacy of its citizens. These attacks include spam e-mails, extortion via denial-of-service, identity theft and exploitation for political motives.
How big is the threat?
Many numbers have been published regarding the threat posed by botnets and especially on their size in terms of infected machines. Most of these numbers are arrived at by extrapolation from just a small fraction of the total number of potential victims, obtained by counting unique IP addresses only.
A good example of the inaccuracy of counting unique IP addresses alone is the work of Stone-Gross on the Torpig botnet, who had the opportunity of evaluating a unique bot identifier used internally by the botnet against IP addresses. Their comparison over a 10-day period yielded a population of approximately 180,000 bots when using the identifier, while counting unique IP addresses resulted in more than 1,200,000 infected hosts, an error factor of nearly 7.
Furthermore, the size of a botnet alone is an inappropriate and very inaccurate measure for assessing the threat posed. For example, when considering distributed denial of service (DDoS) attacks, the actual number of hosts participating in many DDoS attacks is in the hundreds.
What is being done?
There are several promising European initiatives at a national level against botnets, including for example:
- Bot-Frei: a partnership of German ISPs (led by Eco) and the BSI (Bundesamt fur Sicherheit in der Informationstechnik), which detects and notifies infected customers and provides disinfection assistance, including a helpline.
- The Dutch anti-botnet treaty: a partnership of 14 Dutch ISPs and the Telecom Regulatory Authority (OPTA) covering 98% of the Dutch market.
- The Danish Botnet MoU—a co-operation framework between ISPs and CERTs.
- The Swedish study on "Botnets -Hijacked computers in Sweden"
At a European level, the European Network and Information Security Agency (ENISA) recently published the results of a wide consultation with all sectors involved in the fight against botnets. On an international level, initiatives to fight botnets have been set up in Japan, Australia and South Korea. The OECD Working Party on Information Security and Privacy (WPISP) is currently examining the role of ISPs in fighting botnets. In the EU-US Working Group on Cyber-security and Cyber-crime, fighting botnets is one of the priorities for collaboration.
What are the options for European governments?
Botnets bear many similarities to health epidemics such as H1N1, which are “border-agnostic.” Europe has an opportunity to build on the successful initiatives already operating in individual European countries to:
- Build a close global network of co-operation both in prosecuting cybercriminals, eliminating their value chain, and in eradicating malware from end-user machines.
- Support ISPs, end users, researchers and software vendors in implementing defensive measures.
- Provide a legal framework in which defensive measures can operate efficiently.
Who can help in fighting botnets?
The short answer is everyone. Botnets are part of a highly profitable criminal business model involving many different “production stages.” This business model is highly agile and highly globalised. Every step in the “production process” must be addressed systematically at all levels: local, national, European and increasingly at a global level:
- End users should be supported in keeping their machines clean. The threat of botnets means this is no longer just a personal concern, but also a social and civic responsibility.
- ISPs should be supported in detecting infections and helping users to disinfect their machines. Because they have to bear the cost of this, the appropriate financial support would need to be shared with governments or parties directly affected by botnets such as web service providers and banks.
- Victims (of extortion and fraud) should be supported in resisting attacks, both technically and with efficient legal recourse and support in prosecuting criminals.
- Anti-bot researchers should be supported by clear and pragmatic legislation.
- For software vendors, software vulnerabilities such as flaws in web applications are major factors in the spread of botnet; secure software initiatives are vital in fighting botnets.
Programme Manager for Secure Services, ENISA
We welcome your comments! Please log in using the Sign In button at the top right of this page and then leave your comment in the box at the end of the post.
To view all blog posts, please click on the ISACA Now button in the blue box on the left.