Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Cybercrime is a day-to-day reality for anyone using the Internet. Whether for email or Web surfing, all Internet users are potentially at risk.

    Botnets are the tool of choice for distributing malware, for perpetrating attacks, and for sending slews of spammed messages. Through these botnets, botnet herders (the cybercriminals behind the botnets), earn millions of dollars in money stolen from innocent computer users.

    These cybercriminals buy and sell services, build partnerships, and rent services just as above-board businesses do; the main difference being the legitimacy and legality of the products, solutions, and services they handle. The quantity of spammed messages distributed via botnets is astronomical. Spam continues to be a vector of choice for cybercriminals owing to their speed of distribution and delivery, vast target list, and relatively low cost of investment compared with the profit on offer.

    As an example of how and why the spam issue is still overwhelming, according to Trend Micro research, spam now accounts for around 97 percent of all the email in circulation. In a recent laboratory-controlled investigation, the quantity of spam generated by a single bot-infested computer in a 24-hour period amounted to around 2,553,940.

    What can be done about it and who can effect change?

    According to the recent 2010 Consumer Survey published by the Messaging Anti-Abuse Working Group (MAAWG), 65 percent of the respondents felt that ISPs and ESPs should bear most of the responsibility for stopping spam, computer viruses, fraudulent email, and spyware.

    Given that the MAAWG survey also identified that there is a serious lack of awareness regarding bots and botnets on the part of the average consumer, service providers need to consider taking proactive steps to help secure and support their customers.

    Trend Micro chief technologist Dave Rand explains that ISPs have the ability to help combat botnets and spam through some fairly simple steps. For instance, they can block email on port 25—the port responsible for SMTP transfers. Botnet communications use port 25 when sending spam and other junk mail.

    By blocking port 25 and moving email communications to a different internal port, the spam communications will become ineffective. Generally speaking, users will not notice any direct change, as most use their ISPs’ own servers or free email services from providers like Gmail, Windows Live Hotmail, or Yahoo Mail.

    ISPs have the ability to monitor their own network activity and, for billing or technical reasons, can identify particular IP host addresses at any given time. With this information, they know what traffic traverses their network and have the technical ability to observe malicious traffic. This enables them to block port 25 and, more importantly, to identify and notify the compromised customer.

    Through experience, Trend Micro knows that the majority of times, a customer will seek help in resolving the compromised machine/s within their network. This collaborative communication helps reduce the number of bot-infected computers and, by so doing, helps ensure the privacy and security of customers and users.

    Trend Micro believes that the recently signed agreement in Australia (in which ISPs committed to notifying their consumers of PC compromises) and a similar agreement between over a dozen ISPs in the Netherlands (that have agreed to share security information and notify and block compromised customers) will have a dramatic impact on the number of bot-infected computers in those countries alone.

    Through research and monitoring, Trend Micro identified more than 4 million compromised systems in Turkey alone. We worked directly with a particular ISP that subsequently took action, removing these computers from the network as far as spam generation was concerned. Although these computers were still infected and can be used to steal information, the immediate drop in spam from this network was very noticeable.

    The notification role service providers play is vital, as during these projects, we have seen that once informed, the majority of customers do proactively look to clean up their network. Also consider that we know that these compromised hosts are not all consumer owned…  some of them are in government networks and also in hospitals. This means that this is more than just a spam issue, it is also a health and welfare issue.

    Given the size of this issue, do we need IT officials to secure the integrity of systems at country level? Perhaps we do…

    Looking at the evolution of the spam problem, we know that India is a growing issue. Dave Rand is currently working directly with ISPs across India in the search for the right solution to deal with the problem. Brazil is another country coming to the forefront in terms of number of compromised computers. In Brazil, we know that much of the spam is banking related and that the dominant cybercrime families in Latin America are, broadly speaking, online banking focused.

    Trend Micro wants to work with ISPs and to have them take an active role in notifying their customers. The issue is now becoming one of social and moral responsibility for service providers the world over.

    We don’t pretend to know everything but together with the help of ISPs, we know we can help improve the situation for everyone.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • Bernie

      If my PC gets infected and I don’t notice it (AV misses it) then I would be very happy if my ISP were to inform me that I was infected. Who knows what information is being taken from my PC.

      My work PC was infected with Cridex recently, it has up to date AV, is fully patched and I’m not an admin. I did in innocuous search on google, clicked a viable looking search result and that was it, a page loaded that used a 0 day java vuln and my machine was infected. I didn’t click on any pop ups but I did see the java icon appear in the system tray and the page failed to load so I suspected something was up. I submitted it to virus total and no AV company detected it at the time. It’s not just uneducated users that get infected anymore, I did nothing unusual, the web site I clicked on was a well known site (hence the high google result) but it had been hacked. Zero interaction by me other than clicking the search result link.

    • Mark Giles

      I disagree with the idea that ISPs have no responsibilities.
      There are 3 major groups that have a mandate to provide for a safe Internet environment
      1. ISPs who provide access to the Internet to users based on a legal set of terms and conditions
      2. Registrars who prove domain names to customers also based on legal docuemnts such as Terms of Service and Acceptable Use Policy
      3. Other services providers such as Google, Microsoft, Yahoo, Tripod etc who provide services under a set of terms and conditions

      When cyber crime is being committed on the Internet, these 3 groups have the ability to act to prevent it. That ability is vested in their legal conditions.

      Do they have a responsibility to exercise their rights to terminate services? Morally, yes, but legally? If there is sufficient evidence that anyone has knowingly permitted crime to continue to be committed when in their own judgment it is reasonable to assume that that is the case, then failure to act can be regarded as aiding and abetting the crime, or consorting with criminals.

      SO rather than arguing that " ISP's should [not] be responsible for monitoring their network and blocking users whose machines have been compromised" I suggest that a failure to act could lead to legal consequences.

    • Pingback: ISPs können bei der Bekämpfung der Botnetze helfen()

    • Rufus

      I completely disagree with the idea that ISP's should be responsible for monitoring their network and blocking users whose machines have been compromised. An ISP serves one purpose, to provide access to the internet. Their responsibility ends there in my opinion. It's up to the end user to secure their machine(s) and make sure they are safe from virii and malware. You're getting into a dangerous area when you start talking about ISP's monitoring their users (more than they likely do now). It may be considered rude, but if you can't handle simply surfing the internet without handing your credit card number over to criminals, then perhaps you don't belong on the internet in the first place and should stick to watching cable television.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice