Cybercrime is a day-to-day reality for anyone using the Internet. Whether for email or Web surfing, all Internet users are potentially at risk.
Botnets are the tool of choice for distributing malware, for perpetrating attacks, and for sending slews of spammed messages. Through these botnets, botnet herders (the cybercriminals behind the botnets), earn millions of dollars in money stolen from innocent computer users.
These cybercriminals buy and sell services, build partnerships, and rent services just as above-board businesses do; the main difference being the legitimacy and legality of the products, solutions, and services they handle. The quantity of spammed messages distributed via botnets is astronomical. Spam continues to be a vector of choice for cybercriminals owing to their speed of distribution and delivery, vast target list, and relatively low cost of investment compared with the profit on offer.
As an example of how and why the spam issue is still overwhelming, according to Trend Micro research, spam now accounts for around 97 percent of all the email in circulation. In a recent laboratory-controlled investigation, the quantity of spam generated by a single bot-infested computer in a 24-hour period amounted to around 2,553,940.
What can be done about it and who can effect change?
According to the recent 2010 Consumer Survey published by the Messaging Anti-Abuse Working Group (MAAWG), 65 percent of the respondents felt that ISPs and ESPs should bear most of the responsibility for stopping spam, computer viruses, fraudulent email, and spyware.
Given that the MAAWG survey also identified that there is a serious lack of awareness regarding bots and botnets on the part of the average consumer, service providers need to consider taking proactive steps to help secure and support their customers.
Trend Micro chief technologist Dave Rand explains that ISPs have the ability to help combat botnets and spam through some fairly simple steps. For instance, they can block email on port 25—the port responsible for SMTP transfers. Botnet communications use port 25 when sending spam and other junk mail.
By blocking port 25 and moving email communications to a different internal port, the spam communications will become ineffective. Generally speaking, users will not notice any direct change, as most use their ISPs’ own servers or free email services from providers like Gmail, Windows Live Hotmail, or Yahoo Mail.
ISPs have the ability to monitor their own network activity and, for billing or technical reasons, can identify particular IP host addresses at any given time. With this information, they know what traffic traverses their network and have the technical ability to observe malicious traffic. This enables them to block port 25 and, more importantly, to identify and notify the compromised customer.
Through experience, Trend Micro knows that the majority of times, a customer will seek help in resolving the compromised machine/s within their network. This collaborative communication helps reduce the number of bot-infected computers and, by so doing, helps ensure the privacy and security of customers and users.
Trend Micro believes that the recently signed agreement in Australia (in which ISPs committed to notifying their consumers of PC compromises) and a similar agreement between over a dozen ISPs in the Netherlands (that have agreed to share security information and notify and block compromised customers) will have a dramatic impact on the number of bot-infected computers in those countries alone.
Through research and monitoring, Trend Micro identified more than 4 million compromised systems in Turkey alone. We worked directly with a particular ISP that subsequently took action, removing these computers from the network as far as spam generation was concerned. Although these computers were still infected and can be used to steal information, the immediate drop in spam from this network was very noticeable.
The notification role service providers play is vital, as during these projects, we have seen that once informed, the majority of customers do proactively look to clean up their network. Also consider that we know that these compromised hosts are not all consumer owned… some of them are in government networks and also in hospitals. This means that this is more than just a spam issue, it is also a health and welfare issue.
Given the size of this issue, do we need IT officials to secure the integrity of systems at country level? Perhaps we do…
Looking at the evolution of the spam problem, we know that India is a growing issue. Dave Rand is currently working directly with ISPs across India in the search for the right solution to deal with the problem. Brazil is another country coming to the forefront in terms of number of compromised computers. In Brazil, we know that much of the spam is banking related and that the dominant cybercrime families in Latin America are, broadly speaking, online banking focused.
Trend Micro wants to work with ISPs and to have them take an active role in notifying their customers. The issue is now becoming one of social and moral responsibility for service providers the world over.
We don’t pretend to know everything but together with the help of ISPs, we know we can help improve the situation for everyone.