Botnets have been around for a long time. Going back to the 1990s with Internet relay chat (IRC), people wanted a way to maintain their chat rooms while they were away so they started making automated scripts that became known as bots that sit on a channel. They added new features and things started getting more sinister. Some people wrote a bot that would knock people off of their channels and it kind of escalated from there and became an entire culture around developing bots, using them for various purposes like DDoS. Then at the end of the last century into 2001 we started seeing bots used for larger cybercrime. It escalated outside of the IRC community into the kind of things we see today like the banking fraud, the spam and the DDoS attacks against websites not just IRC chat rooms. How do you measure the strength of a botnet? Does size necessarily equate to strength?
Strength is one element of bots when you are talking about something like a DDoS botnet, how much potential they have to take down a website. But not all bots are designed to do something like that. You're not going to see too much traffic from something like a bank fraud botnet. We try to do the best we can in getting counts of botnets because that's always interesting. How many people have been infected? What means they're using to infect PCs into the botnet? That's something we pay close attention to. That's a more important metric to us. That is what was done with Conficker, right?
That's right. With Conficker it was very important to establish how fast it was able to grow and what we can do to put in preventative measures at different levels to try and keep new PCs from joining that botnet. It seems like plenty joined and not many left, so we're still facing pretty large numbers from that botnet. Is there a way to get botnets shut down? We saw the McColo action which disrupted some botnets. Microsoft took legal action to take out the command and control of the Waledac botnet. Do actions like these have any positive results?
It's good to see people putting an effort towards the problem and raising people's attention to the overall problem, but taking out a botnet is not necessarily going to stop the criminal operation behind the botnet. Certainly they're making money in a lot of these schemes that they are using botnets for, so it's unlikely that they are just going to quit just because Microsoft killed their botnet one day. They will just deploy new bots. They can easily seed those out in the wild and pay somebody to spread those from Web exploits, sending out infected emails. So they can quickly build their botnet up again and get right back in the business. We have to have more cooperation across the board from ISPs, industry researchers and law enforcement. Ultimately you have to stop the people behind the botnet, not just the botnet itself.
I hope so. The problem is you have certain countries that seem willing to cooperate with law enforcement in the U.S. We've got plenty of people here that can study botnets, can uncover where the command and control is at and uncover details about who may be operating command and control, but in certain countries, when we report this, it seems to go nowhere. We're hoping with some of these recent discoveries like the Black Energy (botnet) targeting Russian banks, perhaps Russia might also join the larger research community and law enforcement action against botnets. We could use some cooperative action and take down some of the biggest and most damaging botnets. I recently heard some experts say that the government should require ISPs to use deep packet inspection. That brings up privacy issues. Do you think that will ever happen?
It's something that can be done without being intrusive. There's ways that you can look at a packet for signs of a botnet infection without necessarily compromising someones privacy. I don't want people to get up in arms thinking that because the ISP is suddenly alerting on botnets that this suddenly means they are reading their email messages. That's not what it means. It functions very similar to what an antivirus does. It's looking at each executable and trying to figure out whether it matches a known signature of a piece of malware. It's the same idea, just at the network level. Just because you have antivirus looking at your programs, doesn't mean they're going in those programs, reading all your serial numbers and all those things. They're just looking for patterns that indicate bad activity. Let's talk about Operation Aurora. The attacks against Google and nearly two dozen other companies. You looked at the code. What exactly did you find?
It was interesting that Google came out and admitted it happened, because we've seen this type of activity happening over the past five years. Most companies that get attacked don't say anything. That was the only thing really unusual about the attack. This is very typical of what we've been seeing going on for a long time. It's just a Trojan that is stealthy by matter of the fact that it was written specifically for this purpose. It wasn't necessarily sophisticated. It's something no one had seen because it wasn't widely deployed.