Cyber G-Men Plot to Bust Bots

The FBI is launching a new initiative in the cyber crime wars, taking on the criminal organizations -- the so-called "botherders" -- that have gathered under their control compromised or zombie PCs. The bot herders' purpose is to send out malware or spam and phishing campaigns over the Internet that cannot be traced back to their origins.

The initiative, colorfully dubbed Operation Bot Roast, includes an outreach effort by the FBI and industry partners such as the CERT (Computer Emergency Readiness Team) Coordination Center at Carnegie Mellon University, to notify some 1 million owners of compromised computers under a bot herder's control.

Specifically, the FBI has identified 1 million victim computer IP addresses.

Like most crime-fighting initiatives, the intent behind Operation Bot Roast is good; whether its actual execution will yield practical results, though, remains unknown.

Indeed, some security analysts say the FBI's initiative is akin to pushing water uphill with a spoon.

Barely a Blip

"While I applaud law enforcement's efforts against cyber crime -- especially since it has been bogged down with other threats since 9/11 -- I am not sure how much this will have an impact," Paul Henry, vice president of technology evangelism at Secure Computing, told TechNewsWorld.

For instance, the so-called King of Spam was arrested last week and, denied bail, has been sitting in a jail cell ever since. This person -- aka 27-year-old Robert Alan Soloway -- is alleged to be the world's most prolific spammer, Henry noted. "Since his arrest, there has been barely a blip in the spam volumes generated."

Even if the FBI succeeded in cleaning up all identified 1 million computers, the agency will have tackled less than one percent of the estimated compromised PCs in the world, he said.

Another reason to be pessimistic, he continued, is the ever growing number of vulnerabilities identified in popular desktop software. One has to look no further than Microsoft's (Nasdaq: MSFT) Patch Tuesday, its monthly ritual of patching vulnerabilities that have been identified in its products.

"As soon as the FBI cleans up one computer, another is as easily infected through a new vulnerability," Henry said.

Yuval Ben-Itzhak, CTO of Finjan, a provider of gateway products noted the obvious -- the FBI's jurisdiction is limited to the United States, while cyber crime is inherently global.

"For this to work it would require worldwide cooperation from all the law enforcement agencies," he told TechNewsWorld. "Unfortunately, it will take some time to reach that point."

No one can assume they'll only be contacting U.S. residents or citizens, Allysa Myers, Virus Research Engineer, McAfee Avert Labs, told TechNewsWorld.

"Determining location conclusively can be much more complicated than just looking at an IP address and saying 'Ah, they're in Arizona,'" Myers said, depending on what a person's specific setup is. The information to be gained from an infection report could be equally valuable coming from Ulan Bator or Salt Lake City.

"Where it gets difficult is when the bot master is in a country we don't have extradition agreements with. The FBI may have an air-tight case against a bot master, but if they can't get legal access to the person, it's a dead-end," she added.

Other Questions

As chief technology officer for Fenwick & West, Matt Kesner is qualified to speak for businesses that may be on the receiving end of an FBI notification.

"Most companies want to clean up their systems if they are infected," he told TechNewsWorld. It's possible machines at many businesses could be compromised, despite the safeguards most firms now take.

Fenwick & West runs about eight layers of antivirus protection, and the law firm still occasionally finds viruses and malware on its computers.

"We try to clean them up as quickly as possible, and any additional leads would be very helpful," Kesner said.

It is debatable, though, that an individual or small business would be as sensitive to these issues -- or at the very least, know what to do if they were informed their computers were compromised. Indeed, even the most law abiding citizen is going to feel a fission of fear when contacted by the FBI about his or her computer activities, Kesner noted.

This initiative is also likely to lead to online scams -- something the FBI recognizes and hopes to avoid. For instance, the agency said it will not contact anyone online and request personal information.

Other Solutions

Internet security providers are not suggesting the FBI give up its efforts in this realm. There are other actions some providers would like to see the government take as well.

Ben-Itzhak, for example, suggests the FBI also pursue companies that are hosting malicious codes.

"They are hosted somewhere on an IP server that has either been compromised or rented for this crime," he said.

Henry, for his part, is placing his hopes on the Domain Key Identified Mail (DKIM) project, a public key cryptographic e-mail authentication mechanism.

"That is now getting off the ground with a standard just published in the last few weeks," Henry said. This initiative, coupled with Reputation Defense services -- which identifies an e-mail that does not come from a legitimate source -- will take aim at bot herders' bottom line.

"Combining these two will dramatically increase the cost for bot herders because they will have to register their domains in order to send e-mail -- and then continually re-register them every time they are identified as spam," he concluded.