Microsoft Wants to Cordon Off Botnet-Infected Computers
Oct 8, 2010 10:25 AM PT
Microsoft's vice president of trustworthy computing, Scott Charney, has put the call out for a collective, coordinated approach to protecting the public from, among many other threats, botnets.
The worldwide Internet community would do well to apply a public health approach to battling the viruses and malware endemic to the Internet, he said in a speech earlier this week at the International Security Solutions Europe (ISSE) Conference in Berlin.
As U.S. schoolchildren must produce certificates of vaccination before entering the classroom, individuals' and companies' computers would have to produce a certificate of health to use the Internet. Those that couldn't would have their access restricted by, in some cases, having their bandwidth "throttled" until they cleaned up their systems, he suggested.
Charney's proposal is incorporated in a new Microsoft position paper.
"Society needs to explore ways to implement collective defenses to help protect consumers who may be unaware that their computers have been compromised, and to reduce the risk that these comprised devices present to the ecosystem as a whole," Charney says in the paper.
Good in Theory
While the idea of selective restriction of Internet access might seem infuriating at best and rights-violating at its most extreme, it actually is a sound theory, according to Chester Wisniewski, senior security advisor with Sophos.
Comcast has already implemented an alert system, he noted, that lets customers know if their Internet traffic contains the markers of botnet activity. The service, dubbed "Constant Guard," is provided to Comcast by Damballa, a botnet research firm that has developed a variety of methods for detecting activity related to the large networks of infected computers being used by the increasingly sophisticated organized crime groups committing identity theft and related crimes on the Internet.
However, much discussion remains to be had around how intrusive particular monitoring practices might be, Wisniewski noted. In Australia, for example, Internet service providers were asked by governmental bodies to examine traffic coming through their pipes for untoward activity. They explained that they could not do so and maintain respect for users' privacy. Thus, compromises were made about how to look for possible virus-related traffic.
Coming and Going
Restricting a computer's access to the Internet might slow the spread of particular bots being distributed by that computer, but the fact is that websites themselves are the source of much of the malware circulating. The majority of software vulnerabilities discovered during the first half of 2010 remained unfixed at the end of the reporting period, according to a recent study by IBM.
Most Web apps are custom developed by contractors hired to design them for company sites, Tom Cross, manager of X-Force Advanced Research with IBM, told TechNewsWorld. The identified problems are only the tip of the iceberg when it comes to app-based vulnerabilities.
Thus, restricting a computer's access to bandwidth -- throttling it, as Microsoft's Charney suggested -- may protect not only other computers on the Internet, but also the infected computer.
Consider, for example, the recent Zeus botnet that captured users' banking sign-on information. "If you were the person whose computer was infected," asked Wisniewski, "wouldn't you want to know?"
There are important processes that would need to be in place for a public-health informed plan for safe Internet computing to be put in place in the U.S., he stressed.
First, quarantined computers and their users would need to be given access to a subset of sites necessary to fix their malware problems -- including, perhaps, the maker of their unit's operating system and virus-protection software.
In addition, a tiered approach would be necessary, wherein a user would receive notification for a set period of time -- 30 days, say -- that a particular computer might be infected with a bot or malware. Only after adequate notice should bandwidth be restricted, Wisniewski said.