Microsoft’s Trustworthy Computing product manager, Tim Rains, observed that a number of countries had been doing particularly well in Microsoft’s annual Security Intelligence Report. So they asked their local teams for potential reasons behind the stats.
Answer from Austria by Leon Aaron Kaplan, CERT.at:
“We believe the low piracy rate, combined with a generally strict IT security enforcement of ISPs and the fact that updates are quickly installed due to fast Internet lines (broadband, cable connection) forms a basis for the generally low infection score in Austria.”
Answer from Finland by Erka Koivunen, CERT.fi: skills and tools, admin culture, regulative environment. On regulation:
There are clear and pragmatic provisions in Finnish legislation granting network admins the right (and at times an obligation) to defend their networks and interconnected IT systems against breaches of technical information security…. The rules start with administrative engagement: appointing responsible network security admins and the so-called abuse helpdesks to handle complaints is mandatory. The more technical stuff includes provisions such as exercising what we call “address hygiene” in core networks (e.g., filtering spoofed and source-routed packets) and restricting broadband subscribers’ ability to send spam or participate in denial-of-service attacks. There are also a requirement for ISPs to inform their subscribers about the possible dangers of the Internet and ways to mitigate them. As a side effect, this has greatly boosted the purchase of security software by private consumers
Microsofts local Chief Security advisor in Finland adds: a community of peers in public and private sectors, educated users.
Lessons from Germany and Japan.
Summing up:
1. There exists strong public – private partnerships that enable proactive and response capabilities
2. CERTs, ISPs and others actively monitoring for threats in the region enable rapid response to emerging threats
3. An IT culture where system administrators respond rapidly to reports of system infections or abuse is helpful
4. Enforcement policies and active remediation of threats via quarantining infected systems on networks in the region is effective
5. Regional education campaigns and media attention that help improve the public’s awareness of security issues can pay dividends
6. Low software piracy rates and widespread usage of Windows Update/Microsoft Update has helped keep infection rates relatively low
More an more reports on the costs of Conficker have trickled in recently. Here’s another one from the CISO (you know that acronym, right?) of brewery giant SABMiller, producing delicious booze such as Foster’s, Miller, and Grolsch:
“Last April, I had to close down the Romanian operation for four hours because of the Conficker virus. It cost us £7.2 million [the revenue target lost, based on how much the breweries would have produced for sale during that time]”
He sold the halt of the beer production site to his board by arguing that
that the effect on the company’s market capitalisation would be far worse if SABMiller had manufactured and sold poisoned stock
Shouldn’t attack vectors for Conficker be barricaded by now? Of course, they could have their corporate network still running on old, un-patched Windows platforms. (Businesses have been strong supporters of the “never change a running system” mantra, though remaining IT vulnerabilities in aged gear challenges this stance.) But “poisoned stock”? Where should that come from? Do they run their beer SCADA systems on machines that would not discover a manipulation of its software stack? Where is the link between Conficker and “poisoned stock”?
Joint request by May, Strickling, Beers:
The U.S. Department of Commerce and U.S. Department of Homeland Security are requesting information on the requirements of, and possible approaches to creating, a voluntary industry code of conduct to address the detection, notification and mitigation of botnets. (…) The Departments seek public comment from all Internet stakeholders, including the commercial, academic, and civil society sectors, on potential models for detection, notification, prevention, and mitigation of botnets’ illicit use of computer equipment.
DHS asks for contributions in three segments: a) Practices To Help Prevent and Mitigate Botnet Infections, b) Effective Practices for Identifying Botnets, c) Reviewing Effectiveness of Consumer Notification, d) Incentives To Promote Voluntary Action To Notify Consumers.
I’ve seen similar public request for comments in other policy domains before in the political system of the US. Thus, I’m not sure whether this is as unique as it appears to be from my European perspective.
Currently, Microsoft – and not some state agency – seems to be the botnet take-downer du jour.
Update. Joel Harding with regard to Microsoft’s role in botnet response:
DHS does not have the resources to protect US citizens, US corporations or any other government infrastructure beyond the critical infrastructure. Yet it is their mission to provide Homeland Security. When will DHS step up to the plate and perform their mission? Do we need a Department of Microsoft instead?
As mentioned the other day, security provider Gamballa released a study stating that some 11% of global botnet command&control servers were hosted by 1&1 Internet AG. Heise, presumably Germany’s most influential IT related news portal, brought the story, mostly citing the findings of the study. 1&1 was not amused about the journalistic performance. The flaws (de) in Gamballa’s study have been quickly uncovered by Thorsten Kraft of 1&1‘s Anti-Abuse team, which is closely linked to the consumer-focussed German Anti-Botnet advisory centre. Heise released another article explaining the flaws in the Gamballa report, and Gamballa has rightly taken its analysis down. The underlying lapse, according the reports linked above, was that Gamballa had allegedly added both ordinary, non-infected infrastructure servers and sinkhole and honeypot machines to the list of C&C server.
[…]
The High Tech Crime Team did the job against the unsophisticated Bredolab Botnet:
The Bredolab botnet has been busted. So said the High Tech Crime Team, part of the National Crime Squad in the Netherlands, on Monday.
According to Dutch authorities, “the botnet network used servers hired in the Netherlands from a reseller of LeaseWeb,” one of Europe’s largest hosting providers, which is working with investigators. All told, 143 servers were seized and disconnected. (informationweek.com)
Further information is provided by the Openbaar Ministerie, the Dutch top prosecution authority.
Global cooperation among police forces in cybercrime cases appears to work way better than two years ago.
World-wide leader in botnet CnC-hosting according to an Gunter Ollmann, VP Research of security provider Damballa, is the German ISP 1&1 Internet AG.
1&1 headquarters will be relieved to read this:
It is important to note that the ISP’s and hosting providers listed in the top-10 do not necessarily conduct criminal practices, but they have found themselves in a position of being “preferred” by the criminals operating the botnets.
It it surprising to see 1&1 spearheading CnC hosting. The data for a study released earlier this year by my TU Delft colleagues Michel van Eeten, Hadi Asghari et al. reveals that 1&1 is among the best ISPs when it comes to dealing with malware and spam. In that perspective, 1&1 has one of the cleanest ASNs, much better than, say, Deutsche Telekom.
I’ve briefly skimmed through some Gambella papers, but I could find a description of their method to detect CnC servers.
Terry Zink, Program Manager for Microsoft Forefront Online Security, wants ISPs to play the role similar to the one email security service providers have in mitigating the spam problem.
In my view, ISPs taking action on botted machines is very similar to the problem that we as an outbound mail relay had when we were taking action on customers that were/are sending outbound spam…
For an ISP, if they know which domains a botnet calls home to, then in theory they could tell which IP address is connecting to which botnet URLs. Whenever someone sends a request, either http, ftp, or some other DNS protocol, that attempts to resolve the botnet C&C’s domain, then it is a logical assumption that the machine behind the IP address is part of a botnet. …
Obviously, it would be nice to use a finer layer of granularity but that option is not available without deep packet inspection where you can possibly map finer levels of identification.
In short: Anti-botnetting should be done by ISPs without using DPI. Zink does not want to see ISPs filling their data centres with perimeter DPI boxes, a) for privacy reasons and b) for the costs, as they would force ISPs to find new revenue models and become, e.g., non-net-neutral.
Microsoft isn’t the “internet security industry”, even though their Malicious Software Removal Tool and Security Essentials A/V are among the most widely deployed security tools out there. Microsoft is in the security business above all to get rid of infected Windows machines and to protect their Windows brand. Hence, my hunch is that they are rather pragmatic in their choices and would opt for any approach that helps to clean up the bot mess.
I wonder how such a botnet URL database would be operated, who would feed, who would harvest it, how it would be governed. Centrally? Commons-based? Commercial? Based on a club-model? Botnet URLs are too trivial to pose as the core of commercial security products in a way as virus signatures are a core asset for AV software providers. But commercialising security problems isn’t Microsofts problem.
Microsoft’s Malware Protection Center has released it’s latest Security Intelligence Report v9. It calls to mind that anti-botnetting isn’t a just a technological challenge:
Regardless of how botnets are doing their distribution, one thing is clear: because of their networked and often organized structure, they allow malicious and illegal activities to be performed at a scale that has not been seen before. The solution to this problem isn’t always about technology. As a community, we can take collaborative and legislative action to take down massive botnets like we did with Waledac. As researchers, we must evolve the way we view these threats and continue to think of creative and novel ways to stop them.
Interesting technical finding: 33% of malware-infected machines are bots.
I’ve written a quick analysis of the recent anti-botnet politics in Germany. Kind crew behind netzpolitik.org has published it on this blockbuster blog. It’s written in German, though, but you could alternatively give Google Translator a moment of embarrassment.
This is going to be an interesting experiment in internet security governance. Scientists have argued for years that internet security problems are as much caused by a misalignment of incentives as they are by technological flaws in software and hardware. One obvious recipe to call ISPs for action against botnets is one that has helped to increase software vendors’ activities in increasing software robustness.
Gathered under the umbrella of the Shadowserver Foundation, a group of engineers and scientists have scrupulously gathered evidence and background information about the activities of the Conficker botnet. They have known for months that millions of machines worldwide had been infected with Conficker malware. Yet, no one reacted, only shoulders were shrugged. At govcert.nl in October, many were contemplating how to proceed with Conficker.
Starting today, Shadowserver let’s everyone know where these Conficker-infected machines are. The move is a valuable contribution to increase global transparency about the somewhat obscure botnet problem.
An interesting example from Germany immediately sticks out. 1&1, a big hosting and medium-sized accessed provider, had initiated an internal initiative against botnet-infected customer systems earlier this year. Today, only ten IP addresses and 0% of their routed space are assigned to infected machines. For customers of Deutsche Telekom, which hasn’t announced a similar program, things look worse: 0.1% of all IP addresses or more than 32,000 IP addresses belong to a Conficker-infected machine.
Yersterday, press reports about an alleged joint venture of national ISPs and the national IT security agency to build a national botnet center stirred some scepticism and perplexety in Germany. After heise online brougth the news, the hacker association CCC informed that this rather is a hoax.
However, the German national ICT security agency (Bundesamt für Sicherheit in der Informationstechnik, BSI) and the association of the German internet business, eco (Verband der deutschen Internetwirtschaft), have cooperated on botnet issues at least since October 2008.
A workshop on botnets in early February 2009 addressed topics such as data-exchange between ISP regarding information from systems such as honeypots, abuse systems, spam traps (email analysis), DNS analysis, IDS/IAS (anomalie detection) or harmful websites. This information provided by ISPs could then be complemented with external data sources. Given the lack of published data, it is not clear which techniques ISPs actually use to exchange data today.
Another workshop on botnets, obviously organized by eco, took place in early February 2009. One of the speakers was Frank Ackermann, senior legal counsel to eco, who talked about judicial aspects of botnet fighting. According to Ackermann, “ISPs are interested in moderate filtering” of spam. Thus, politics should be discouraged from strict anti-spam regulation.
The programme of another joint eco-BSI workshop, the 7th German Anti Spam Summit mid-September 2009 on conficker, has sessions like “Status Quo central botnet disinfection call center DE” and “Legal Guide on Technical Approaches against Botnets” listed. According to the programme, Dr. Lothar Eßer, Head of Division Internet Security of BSI, also attended this session.
In late November 2009, eco mentioned in a summary of their IGF09 activities that it is going to build a “Botnet Disinfection Center” in a joint effort with BIS and several providers.
So, Germany will get it’s public-private anti-botnet center. According to eco’s press release, eco and BSI will establish a user-support center. ISPs will forward customers with infected machines to a website which provides tools and descriptions for removing malicious software from their machines. In addition, users with infected computers can call a special hotline with experts assisting users in removing harmful software.
—-
Upd. 9.12.; 16.12: changed headline, added the paragraph with eco’s press release; corrected typos