Analytics // Security Monitoring
12/1/2012
00:06 AM
Connect Directly
RSS
E-Mail
50%
50%

Anti-Botnet Efforts Still Nascent, But Groups Hopeful

Seven months after a government-industry coalition announced recommendations for ISPs to fight botnets, success is still a long way off

Seven months after a coalition of government and industry organizations announced a set of voluntary guidelines to help Internet service providers clean their broadband networks of malware, the effort has yet to produce measurable results.

Known as the U.S. Anti-Bot Code of Conduct for Internet Service Providers, or "ABCs for ISPs," the voluntary guidelines call for service providers to educate consumers, detect botnet activity on their networks, notify users of infected systems, help remediate threats, and collaborate with other businesses. Five major ISPs publicly agreed to the Anti-Botnet Code when it was launched by the U.S. Federal Communications Commission (FCC) in March, but gaining new adherents and measuring the success of the efforts have been hard, says Michael O'Reirdan, co-chairman of the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), an industry group focused on finding solutions to online threats.

"We've had to have a little prod to get going," he says. "It is not trivial to do this if you are a large ISP."

While AT&T, CenturyLink, Comcast, Cox Communications, and Time Warner Cable all signed onto the code, other Internet service providers are wary of the cost of finding problems with customers' computers and notifying them of the issues. Yet the idea that call centers will be inundated with profit-sapping support calls once customers are notified of infections is wrong, says O'Reirdan.

"The call-back rates of companies that have committed to the Anti-Botnet Code are trivial -- they really are," he says. Moreover, with their financial accounts and other important information online, customers will gravitate toward ISPs that show a dedication to security, argues O'Reirdan, who served as the chairman of the FCC's Communications Security, Reliability and Interoperability Council's (CSRIC) Working Group 7, which developed the code with the industry.

Different countries have tackled anti-botnet coalitions and regulations differently. Japan's Cyber Clean Center, for example, is a collaboration with the government and alerts about 1,400 users a month, of which 550 users are new users and about one-third download cleaning tools, according to January 2011 data from the CCC. In Germany, the government funded the Anti-Botnet Advisory Center, helping ISPs defray the cost of detection and mitigation.

The U.S. Anti-Botnet Code is based on Australia's voluntary i-Code and stresses cooperation between groups to solve the problem of botnets.

"The collaborations go across industry and government because everyone needs to work together to solve the problem," says Kevin McNamee, security architect for Kindsight, a network security firm.

[A project to count bots will provide much more comprehensive, if not complete, tally of infected systems. See Bots: Stand Up And Be Counted.]

So far there is no evidence that the effort is producing meaningful results. In the third quarter of 2012, for example, 6.5 percent of North American households had malicious software on at least one computer, according to data from the Kindsight's latest report. The rate is a slight increase from the 6 percent of households that showed signs of malware infections in the first quarter of the year.

It is likely too early to see any measurable effect, McNamee says. In addition, measuring the prevalence of bots and the impact that the Anti-Botnet Code is having on the relative safety of end users is difficult. Internet providers focus on basic measurements, such as their total customer population, the number of infections, and the number of customers notified.

"Metrics are proving to be quite a problem," says M3AAWG's O'Reirdan. "You have this apple-to-lemons-to-oranges problems. It is very hard to compare like to like."

In many ways, ISPs are back where they were when tackling spam a decade ago. Yet consumers will start to expect similar results: Their broadband providers should create a safe network on which to communicate, he says.

"In a couple of years, an ISP who does not have an anti-bot platform will look as sad as an ISP that does not have an anti-spam platform today," O'Reirdan says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
12/3/2012 | 10:55:38 PM
re: Anti-Botnet Efforts Still Nascent, But Groups Hopeful
Are there any efforts underway to create the proper/needed metrics?
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.