Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/15/2010
04:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Bots Hard To Kill -- Even When Botnets Get Decapitated

Despite the wave of major takedowns this past year, botnets are still thriving with a seemingly endless supply of bots available to feed the beast

But not all ISPs are willing or able to respond to reports of infected bots in their space. "Unfortunately, not all ISPs are responsible. We also learned this from Conficker: The Conficker Working Group put a lot of effort in, getting feeds to different ISPs. But still many ISPs did not respond," and there are still many machines infected with the worm, according to Holz.

The overarching issue is bigger than botnets: It's about the security of end users' computers, experts say. Graham Titterington, principal analyst with Ovum, says dormant bots can also be tough to detect. "The can be sleepy for a long time and impossible to detect until they go active," he says. "You can do traffic analysis at the ISP level," however, he says.

And ISPs are faced with service issues if they dial back an infected machine's bandwidth, or place a bot in a so-called "walled garden" until it's cleaned up. "The idea of when you detect a bot on a machine that you cut that machine off is difficult to implement in practice. The consequences are denying someone access to the Net ... or [affecting] the speed" of its connection, Titterington says.

Meanwhile, a Microsoft executive last week proposed a sort of "health check" for machines to gain Internet access -- an approach some experts are calling "NAC for the Internet." Scott Charney, vice president for Microsoft's Trustworthy Computing, called for a model where "sick," or infected PCs, get quarantined from the Internet.

"Just as when an individual who is not vaccinated puts others' health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society," he blogged. "In the physical world, international, national, and local health organizations identify, track and control the spread of disease which can include, where necessary, quarantining people to avoid the infection of others. Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk. To realize this vision, there are steps that can be taken by governments, the IT industry, Internet access providers, users, and others to evaluate the health of consumer devices before granting them unfettered access to the Internet or other critical resources."

This would have to be implemented at the local level, Microsoft's Jones says, in a socially acceptable way that protects privacy while protecting other users from getting infected by the bots.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Data Loss Spikes Under COVID-19 Lockdowns
Seth Rosenblatt, Contributing Writer,  5/28/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10548
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10549
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10546
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10547
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-11094
PUBLISHED: 2020-06-04
The October CMS debugbar plugin before version 3.1.0 contains a feature where it will log all requests (and all information pertaining to each request including session data) whenever it is enabled. This presents a problem if the plugin is ever enabled on a system that is open to untrusted users as ...