Global co-op feeds FBI's botnet fight

The FBI claims that fighting cybercrime is a top priority, right behind antiterrorism and counterintelligence, and it is seeing better results thanks to worldwide cooperation

Officials with the FBI claim that global law enforcement partnerships are playing a significant role in its ongoing efforts to stomp out botnets and other computer-borne crimes.

Security researchers have long maintained that one of the most significant obstacles to shutting down botnets is the distributed global nature of the individuals responsible for operating the networks of zombie PCs.

Botnets are banks of computers infected by virus programs that allow them to be secretly used to carry out many forms of electronic attacks.

The conventional wisdom has been that U.S. law enforcement officials have struggled to find the budget and manpower necessary to track down cyber-criminals operating on their own turf, let alone find a way to identify and arrest people distributing malware code or operating botnets who are based in foreign nations.

However, hot on the heels of its announcement of a round of arrests of U.S.-based botnet herders and the identification of over one million machines infected by the programs, FBI officials said that international cooperation is playing an increasingly important role in helping it stomp out cyber-crime.

"We've been successful in building relationships with foreign law enforcement officials and have agents in 60 countries around the globe working full time on cyber-crime along with police departments and other agencies," said Shawn Henry, deputy assistant director of the Cyber Division at the FBI. "We've seen some significant developments over the last few years in that area."

While Henry admitted that the very nature of cutting-edge botnet herders can make them hard to find as perpetrators move from one bank of infected machines to another quickly to avoid detection, he said that partnerships with foreign governments in the name of fighting cyber-crime are playing a vital role in aiding the agency's ability to thwart the attacks.

"This type of crime can be committed by someone with minimal resources, sometimes using publicly available tools, which makes it a challenge to identify who is responsible, but international cooperation has allowed us to pursue these efforts in many countries, and we are also helping other nations fight operators located in the U.S. as this is a problem that goes both ways," Henry said.

Rounded up by the agency in its most recent botnet hunt were Robert Alan Soloway of Seattle, who has been tabbed as one of the nation's leading sources of botnet-driven spam e-mail, along with James C. Brewer of Arlington, Texas, who is alleged to have infected several Chicago-area hospitals with botnet programs, and Jason Michael Downey of Covington, Kentucky, who is charged with running botnets that were used to carry out so-called denial-of-service attacks.

Taking such individuals offline has become a task secondary only to fighting terrorists and spies, according to Henry, who said that the FBI's current leadership is very much focused on expanding its ability to battle cyber-criminals.

Whereas the perception within the IT security community has been that computer-based attacks are further down the agency's pecking order and that its efforts to stop such crimes lack the same financial backing as its other pursuits, Henry said that the FBI is taking the problem more seriously than ever before.

"Cyber crime is our number three priority behind anti-terrorism and counter-intelligence, we devote a lot of resources to it, and Director Mueller sees it as a significant criminal problem and is very supportive of our efforts," said Henry. "We also get ample support from the U.S. Department of Justice and have been successful with the legal tools that are being made available to us."

Despite making headway, Henry said that the battle against botnets and other forms of cyber-crime remains an "electronic cat and mouse game" as once law enforcement officials and the security community identify and block one technique being used by schemers, the perpetrators tend to move on to some newer modus operandi.

The FBI assistant director said that as part of the agency's effort to stop botnets and other attacks, it is hoping that businesses and consumers will become more vigilant and aggressive in lending a hand by keeping their computers protected with the latest anti-virus programs.

The agency is also advising potential victims of cyber-crime to pursue investigation of such activity by contacting their Internet service providers, and the FBI has said publicly that people should report any suspected illegal activity to such companies rather than communicating problems directly to itself or other law enforcement organizations.

Security industry experts lauded the FBI's work to identify and detain hackers as part of its Operation Bot Roast, which led to the arrests of Soloway, Brewer, and Downey, but at least one authority said that the agency may be creating false expectations of relief for businesses and consumers by telling them to fight crimes via their ISPs.

Web access providers, particularly those that cater to residential markets, have minimized help desk support to save overhead costs, and customers may find themselves with little recourse or being asked to pay for additional security services when they call their ISPs to complain, said Danny McPherson, chief research officer at security filtering specialists Arbor Networks. Arbor provides network behavior analysis tools to a number of well-known ISPs, including AT&T, British Telecom, EarthLink, and NTT.

In addition to leaving customers unsatisfied with their ability to respond to attacks, and potentially driving ISPs with minimal support budgets out of business, asking the service providers to become the de facto police for stopping botnet activity is impractical for a number of reasons, McPherson said.

"You tend to see a lot of people, not just law enforcement, calling for quarantines of suspected botnet infected IP addresses, but you can't just start blocking legitimate users who may not know they are involved, what if you stop someone from making a VoIP-based emergency services call?" McPherson questioned. "If someone gets blocked by their ISP, they're going to move to another provider; systems and solutions to automate the security defenses needed to address this problem are being developed, but it will take time, and most infrastructure out there won't natively support that sort of work today."

McPherson said that it is encouraging to see cooperation between U.S. law enforcement officials and foreign nations, but he believes that the botnet issue will remain a major problem nonetheless.

"It's good to see that there is more global information sharing going on, and that local governments are taking responsibility for cleaning up their own backyards, but with millions of bot hosts and more than 90 percent of those outside the U.S., I think they're still only putting a tiny dent in the problem at his point," said McPherson.

Other security industry experts agreed that it will take a lot more effort on the part of the international law enforcement community to have any noticeable impact on botnets and other cyber-criminals.

However, efforts such as Bot Roast will succeed in forcing botnet operators to increasingly worry that they may indeed be brought to justice for the crimes they commit, said Alan Paller, director of research for IT security training provider SANS Institute.

"At his point, the law enforcement community still can't get much done because so many of the perpetrators are located in so many places where there are no cooperative agreements," he said. "But what they are doing is increasing the risk and raising the cost of committing the crimes, which is just what law enforcement is good at; in the end they can't ever really stop people from trying to rob banks, but they can make it really dangerous and costly, just as they always have tried to."

Copyright © 2007 IDG Communications, Inc.

How to choose a low-code development platform