Bots Hard To Kill -- Even When Botnets Get Decapitated

Despite the wave of major takedowns this past year, botnets are still thriving with a seemingly endless supply of bots available to feed the beast
But not all ISPs are willing or able to respond to reports of infected bots in their space. "Unfortunately, not all ISPs are responsible. We also learned this from Conficker: The Conficker Working Group put a lot of effort in, getting feeds to different ISPs. But still many ISPs did not respond," and there are still many machines infected with the worm, according to Holz.

The overarching issue is bigger than botnets: It's about the security of end users' computers, experts say. Graham Titterington, principal analyst with Ovum, says dormant bots can also be tough to detect. "The can be sleepy for a long time and impossible to detect until they go active," he says. "You can do traffic analysis at the ISP level," however, he says.

And ISPs are faced with service issues if they dial back an infected machine's bandwidth, or place a bot in a so-called "walled garden" until it's cleaned up. "The idea of when you detect a bot on a machine that you cut that machine off is difficult to implement in practice. The consequences are denying someone access to the Net ... or [affecting] the speed" of its connection, Titterington says.

Meanwhile, a Microsoft executive last week proposed a sort of "health check" for machines to gain Internet access -- an approach some experts are calling "NAC for the Internet." Scott Charney, vice president for Microsoft's Trustworthy Computing, called for a model where "sick," or infected PCs, get quarantined from the Internet.

"Just as when an individual who is not vaccinated puts others' health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society," he blogged. "In the physical world, international, national, and local health organizations identify, track and control the spread of disease which can include, where necessary, quarantining people to avoid the infection of others. Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk. To realize this vision, there are steps that can be taken by governments, the IT industry, Internet access providers, users, and others to evaluate the health of consumer devices before granting them unfettered access to the Internet or other critical resources."

This would have to be implemented at the local level, Microsoft's Jones says, in a socially acceptable way that protects privacy while protecting other users from getting infected by the bots.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.