Quote of the week: Are we doing enough to improve the global IT security landscape?
28 Sep 2011
Vitaly Kamluk, Chief Malware Expert, Global Research and Analysis Team, Kaspersky Lab:
“Hundreds of thousands of machines are joining botnets every month. Most of these botnets are used to propagate spam or distribute malware that can be used in cyber espionage. Some of them are used in DDoS attacks or as proxies to commit other cybercrimes.
Botnets are a major threat to both the average user and corporations; however, the countermeasures we take are about as much use as measures a tiny mouse might take in protecting itself against a tiger: immensely inadequate. One could think that laws should be able to help us. Indeed, there is a law that prohibits unauthorized access to remote systems, i.e., third parties cannot use the resources of the other’s machine. However, cybercriminals successfully bypass this law. They utilize and exploit systems in any way they want – to commit crime, earn money, etc. At the same time we researchers come up against the same law – but in our case it prevents us from fighting botnets.
As an example of what could be done but cannot even be contemplated, there are over 53 000 command and control (C&C) centers on the Internet (source: www.umbradata.com). In many cases we know where the C&C centers of these botnets are, so in theory we could contact the owner’s Internet Service Provider and ask it to take it down or to pass control of the center to us. This would be the right decision if we didn’t want to leave all those thousands of infected machines online - continuing to attack other machines. We could issue a command for a bot to self-destroy itself from within the botnet infrastructure (starting from the command center) and then take it down. But unfortunately this represents unauthorized access, and we are not allowed to issue such a command.
Clearly we need changes to improve the situation. And first of all we need the law enforcement agencies of all nations to consider doing a few things:
- Carrying out mass remediation via a botnet;
- Using the expertise and research of private companies and providing them with warrants for immunity against cybercrime laws in particular investigations, so they can collect more evidence, or bring down a malicious system when it cannot be accessed physically;
- Using the resources of any compromised system during an investigation - so that we can place traps on compromised machines to get the source IP addresses of the attackers, and to bypass the mechanisms they use to hide their identities;
- Obtaining a warrant for remote system exploitation - only in the cases when no other alternative is available. Of course this could result in cyber espionage. But if it is done properly – if the warrant is given for particular system, in a particular case, for particular timespan – this could bring positive results. Indeed, it could significantly change the cyber-threat landscape.”
For more information about taking down botnets, please watch the online press conference video which takes an in-depth look at the subject.