Stopping Botnets

Just how secure is your firm's information, from intellectual property and trade secrets to financial data?

Well, a major online threat that has been around for a few years just received stepped up attention due to focus from the Federal Communications Commission, various Internet service providers, and the world's leading software maker.

The threat? Botnets. And it's a war against criminals at home and around the globe, in defense of both businesses and consumers on the Internet.

As described in March 22 recommendations from the FCC's Communications, Security, Reliability, and Interoperability Council (CSRIC) to combat botnet attacks, domain name fraud and IP route hijacking, "The growth of bot-infected end-computers poses a threat to the vitality and resiliency of the Internet and to the online economy. Botnets are networks of computers infected with bot malware, which can be controlled remotely. Criminals often use botnets to crash or deny access to a target website, and botnets can be used to steal passwords and financial information."

In a March 25 press release, Microsoft offered a further explanation of how the botnet threat works: "The computers that make up a botnet are usually conscripted without the knowledge of their owners, who unwittingly infect their machines after clicking on links in legitimate-looking e-mails for things like security updates from Microsoft and notices of tax refunds from the Internal Revenue Service. Clicking those links takes users to Web sites that exploit security holes in their browsers or other programs on their computers. Criminals use the holes to install malicious programs that siphon personal information from the infected computers, like online bank account passwords and credit card numbers. They can also harness the infected machines to send millions of e-mail messages to other users on the Internet, including scam messages that help propagate the botnet. Sometimes botnets are rented to clients to send spam messages advertising products like counterfeit pharmaceuticals."

These present serious worries for both personal and business information. So, what have been the recent actions and announcements?

On the FCC and ISP front, the San Jose Mercury News reported on March 22 that "eight large ISPs in an industry working group told the FCC on Thursday that they would not only work to detect botnets on their networks, but would also help affected customers find resources to clean up their computers." The eight firms are AT&T, Comcast, CenturyLink, Cox , Sprint Nextel, Time Warner Cable, T-Mobile and Verizon Communications.

On AT&T's policy blog, Bob Quinn, senior vice president-federal regulatory and chief privacy officer, pointed out: "AT&T has a long history of working to address both physical and cyber threats and has actively participated in the CSRIC process, including having representation on all three working groups. We view cybersecurity to be a cornerstone of the network management functions that we perform in the United States and worldwide. To that end, AT&T is already fulfilling the recommendations in the reports... [T]he Chairman's statements about the need for continued innovation in cybersecurity are probably the most important part of his message today. Effectively addressing cybersecurity is going to require the various stakeholders experimenting and innovating with different solutions and learning from one another."

Indeed, this is very much an ongoing battle fought on different fronts and by varying means. That is, by those various stakeholders.

For example, in that March 25 release, Microsoft announced that "in collaboration with the financial services industry - including the Financial Services - Information Sharing and Analysis Center (FS-ISAC) and NACHA - The Electronic Payments Association - as well as Kyrus Tech Inc., ... it has successfully executed a coordinated global action against some of the most notorious cybercrime operations that fuel online fraud and identity theft."

The May 26 New York Times reported it this way:

"Microsoft employees, accompanied by United States marshals, raided two nondescript office buildings in Pennsylvania and Illinois on Friday, aiming to disrupt one of the most pernicious forms of online crime today - botnets, or groups of computers that help harvest bank account passwords and other personal information from millions of other computers. With a warrant in hand from a federal judge authorizing the sweep, the Microsoft lawyers and technical personnel gathered evidence and deactivated Web servers ostensibly used by criminals in a scheme to infect computers and steal personal data. At the same time, Microsoft seized control of hundreds of Web addresses that it says were used as part of the same scheme."

Again, Microsoft noted: "This disruption was made possible through a successful pleading before the U.S. District Court for the Eastern District of New York, which allowed Microsoft and its partners to conduct a coordinated seizure of command and control servers running some of the worst known Zeus botnets. Because the botnet operators used Zeus to steal victims' online banking credentials and transfer stolen funds, FS-ISAC and NACHA joined Microsoft as plaintiffs in the civil suit, and Kyrus Tech Inc. served as a declarant in the case. Other organizations, including F-Secure, also provided supporting information for the case."

Microsoft's involvement in this law enforcement endeavor is seen as unique. According to the Times, Richard Boscovich, who is "a former federal prosecutor who is a senior lawyer in Microsoft's digital crimes unit," is the one who "devised a novel legal strategy to underpin the growing number of Microsoft's civil suits against bot-herders. Among other things, he argued that the culprits behind botnets were violating Microsoft's trademarks through fake e-mails they used to spread their malicious software."

Given the malicious intent, criminal incentives and technological skills, the botnet problem has been and will continue to be an ongoing battle, requiring action by law enforcement, legislators, courts, and private entities. Make no mistake, the government's role to protect property stands, whether offline or online, as a primary duty. At the same time, private businesses with the knowhow will need to be part of the effort, working with government and advancing their own safeguards, in order to make the Internet a safer realm in which opportunity, business and consumer choices can continue to fully flourish.


Raymond J. Keating is chief economist for the Small Business & Entrepreneurship Council. His new book is "Chuck" vs. the Business World: Business Tips on TV.