Microsoft issued its latest Security Intelligence Report last week, indicating that botnets pose the biggest problem for security teams attempting to defend websites, networks and end user devices from malware infections.
We believe that even if everybody follows good fundamental processes, to really combat the problem we need cooperation across industries and across borders for collective defense.
directorMicrosoft Trustworthy Computing
Volume 9 of the Microsoft Security Intelligence Report lays out evidence that while there has been some success in breaking up major botnets, more action is needed if security teams ever expect to see a major decline in botnet malware infections. Microsoft said it cleaned more than 6.5 million computers of botnet infections in the first half of 2010, double the amount for the same period a year before.
"We believe that even if everybody follows good fundamental processes, to really combat the problem we need cooperation across industries and across borders for collective defense," said Jeff Jones, director of Microsoft Trustworthy Computing.
Jones said Microsoft is attempting to improve cooperation with other software vendor security teams and work with law enforcement to develop better rules of engagement. "We need to work with people who register domains," he said, adding that cooperation with internet service providers is paramount to success.
The U.S. had the most botnet infections, with 2.2 million in the first half of 2010, ahead of second place Brazil with 550,000 botnet infections, according to the report. Meanwhile, Spain held the top spot in Europe with 382,000 botnet infections, followed by France, the U.K. and Germany.
Jones said that nearly every piece of malware Microsoft identified in the first half of 2010 could be traced back to a major botnet. Worms increased in prevalence the most over the past four quarters, tying Trojans in prevalence in the second quarter of 2010. In addition, some malware contains hundreds and sometimes thousands of different variants, designed to slip past traditional security technologies and remain virtually undetectable on systems.
Microsoft detected a high number of worms in the Taterf family, which spread via mapped drives to steal login and account details for popular online games, such as World of Warcraft. Microsoft is also increasingly detecting Zwangi, another major worm that can run in the background and modify browser settings to send users to malicious websites. In addition Microsot detected a high number of Autorun worms, used to infect machines and grow botnets.
Microsoft has had success defeating botnets by taking the legal route, Jones said. In February, Microsoft took out the notorious Waledac botnet. Waledac was a large spambot produced an estimated 1.5 billion spam messages daily. Microsoft took legal action, cutting off 273 domain names believed to be controlling the Waledac botnet.
In addition to taking the legal approach, Microsoft is proposing a strategy that targets users of botnet infected machines. Scott Charney, corporate vice president of Trustworthy Computing at Microsoft, recently proposed a model that includes treating infected PCs like most public health systems treat people with infectious diseases. At a security conference in Berlin, Charney advocated that governments enact measures that isolate infected computers from the rest of the Internet. ISPs would be required to notify computer owners of a detected issue and throttle down the PCs Internet use.
"There are some natural points where traffic can be observed to identify if a particular machine might be infected and in on an individual bases the owner would be notified," Jones said of Charney's proposal. "In any given country we realize there are different privacy sensitivities, so it's important to make sure scanning happens only for reasons that are authorized legally for an infected area."