Breeding Internet Superbugs

In the waning days of calendar year 2004, I watched some friends as they happily killed off some "botnets", and then pondered the usefulness of this (if any). A "botnet" is a collection of stolen computers, whose owners are still using them. Botnets are useful for sending spam and receiving stolen credit card numbers and all kinds of other things a bad guy wouldn't want to get caught using his or her own computers for. So, why isn't killing "botnets" an unrestricted good idea? Here's what I said about it on 30-December-2004:

I want to expand on this point somewhat. I'm the father of four children, and one of the things that I have to think about that my parents did not have to think about is "antibiotic-resistant bacteria" or "superbugs". Here's how it happened. A number of quick fixes were developed (penicillin, etc) and made widely available. Folks overused them (due to convenience, revenue/hype, etc). Enough bacteria were exposed to the wonderdrugs over several decades that the small percentage who weren't killed by wonderdrugs managed to reproduce more than the large percentage who were killed by wonderdrugs. Ultimately the ecological niche that was once occupied by "bugs" is now occupied by "superbugs", and the wonderdrugs aren't working as well any more.

This shows how quick-fix action for convenience and/or profit by a large number of self-interested people can end up retraining, re-educating, and ultimately benefitting the attacking population more than the defending population.

If you'd like a more topical example, consider "spam". People began altering their e-mail "From:" lines in order to make their addresses harder to guess or aggregate; people began doing pattern matching in order to catch known-bad messages and either sideline or reject them. Many defenders used many small tricks to protect their inboxes. The result has not been that less spam is sent or even that less spam is received, on an aggregate basis. Things are worse now than they've ever been. (I say this as co-founder of MAPS LLC, by which I hope to establish my credentials in the spam field for those of you who do not know me.) Today a small number of highly advanced defenders is spam-immune only because they are a small number and their techniques are not widely effective against the attackers; and a small number of highly advanced attackers can "spam at will" a far larger population than ever before. And the trend is that things are getting worse, and getting worse faster than ever before.

This shows how quick-fix action for convenience and/or profit by a large number of self-interested people can end up retraining, re-educating, and ultimately benefitting the attacking population more than the defending population.

At MAPS, we started with the principle that the IP address who was able to be used for transmission of unwanted bulk material was poisonous, and that its owners ought to be more careful and more respectful. Rather than "rotate our shield frequencies" and hope that the attackers could not "rotate their weapons frequencies" (hint: those are ST-TNG/Borg references), by saying "well you can't send THAT body, but please keep trying!" we just revoked the implied right of end-to-end communication whenever someone demonstrated lack of proper respect for the implied responsibility of end-to-end value. This was not effective -- spam got worse in spite of MAPS. But spam did not get worse *because* of MAPS. Spam did get worse because of brightmail, and spam has gotten worse because of Baynesian filtering. Of course, Sunil Paul's goal in founding Brightmail was not to stop spam but to create a company that could later be sold, which he did (to Semantec, I believe.) But I digress.

Now I'm hearing about how people are joining and killing botnets. Why? It is trivial to recreate them. All you're doing is helping to train botnet operators in how to avoid getting caught; helping to train rootkit developers in how to capture more computers; helping to train botware developers in how to use non-IRC C&C channels. Do you really want to gradually improve the breed and toolsets of attackers, at the cost to them of nothing but time?

What we have to do is a lot of grunt work. Law enforcement, even of unwritten laws like "don't spam me" or "don't DDoS me", is hard, boring, "grunt" work. Gathering the evidence it takes to put a botnet operator or malware developer in prison can take months or years, and the payoff (of knowing that jackbooted government thugs are kicking in a door somewhere and confiscating every powered device and every living person in the building) is elusive. However, that's the only way to put a clamp on the growth of botnet-related industries.

Stomping a botnet is actually a bad thing to do, unless it's done by lawful authorities acting according to meatspace law, and hopefully as part of a larger effort to imprison the people who wrote the software that captured the bots, and the people who wrote the software that operates the botnet, and the people who executed either of those kinds of software.

Stomping a botnet is actually a bad thing to do. Read that again. Please.

Working with meatspace law enforcement is what we have to do. I have made myself available to my local FBI field office for consulting and training; we must all do this, until the average FBI special agent is as good at reading e-mail headers or lurking on IRC channels as they are at preserving physical forensic evidence or sifting through the business records of a suspected racketeer. And all of us who spend time defending against attacks have to know how to gather evidence without polluting it, and we all have to know who to contact when we've got something we think is actionable.

Annoying botnet handlers educates them. Don't do that! Let them succeed at what they try, but watch their every move. Learn to predict what they will do next. Learn how they did whatever they've done. Learn who they are. Learn where they live, and where their money comes from. Let them have a wonderful, annoyance-free life, right up to the instant that the front door of their apartment is kicked in and the handcuffs go on. Don't create more antibiotic-resistant superbugs. Don't teach them how to be more careful next time, on a painless incremental basis.


User login