Google exec calls for ISPs to get tough on botnets

Head of Google's Anti-Malvertising team Eric Davis wants Internet Service Providers to look beyond profits and take a more proactive approach to dealing with malware-infested computers on their networks.

GENEVA -- Head of Google's Anti-Malvertising team Eric Davis wants Internet Service Providers (ISPs) to look beyond profits and take a more proactive approach to dealing with malware-infested computers on their networks.

During a keynote presentation at the Virus Bulletin conference here, Davis said competitors in the ISP space must look beyond profits and partner on new initiatives to deal with the "parasites" that have taken control of the Internet landscape.

[ ALSO FROM VB 2009 : From Gimmiv to Conficker: The lucrative MS08-067 flaw ]

"Technology is only one part of security," Davis said, adding that the necessary countermeasures are currently undermined by structural issues. "We need to explore industry self-regulation, education and reputation systems, he argued.

Making it clear his statements were not necessarily the views of his employer, the Google executive chided ISPs for not doing enough to help users with infected machines.

"The ISPs are in the best position to detected infected machines. They're in the best place to do something about malware.  They already have monitoring systems that could be used to identify signs of malware and botnet activity.   If they see abnormally high e-mail activity, that's most likely spam from a botnet," Davis said.

However, because ISPs have no monetary incentive to notify and help disinfect machines, the botnets live and thrive within ISP networks, he added.

"Detection is expensive and tech support is expensive so they don't do anything about it," Davis said.

He recommended ISPs use the Australia Internet Security Initiative (AISI) as a model to fight malware.  The AISI group mandates minimum customer security levels and isolate infected machines into "walled gardens" until the malicious software is removed.

"The computer has to meet certain [security] standards for that ISP to grant access to the internet, " Davis said.

At the basic minimum, he recommends that ISPs mandate that all computers connecting to the Internet be fully-patched (operating system and third party software) and have active anti-malware software running.

"We need to restrict computers that are not in good condition and maybe offer carrots to consumers -- maybe provide some additional services, more disk space or free tech support as incentives for users to be strict about security."

Davis said this level of cooperation was also needed to combat the malicious advertising (malvertising) menace, where cyber-criminals buy text ads and redirect users to dirty sites or embed malicious code into multimedia (Flash) ads.

"Most malware ads today are made with Flash.  There are some very dangerous things hidden in rich media, installing malware without any action on user's part, Davis said, warning that malvertising can leverage known brands and use sophisticated tricks to get malicious ads placed on high-traffic legitimate sites.

The New York Times and MLB.com are among two known brands that have served malicious advertising in recent times.

"It's become big business.  These guys [cyber-criminals] will approach  and ad agency and say they're working with a company, have a pretty good spend planned out.   They create shell brands that look respectable and, on the publishing side, there are very few incentives to do something about it."

"Part of the solution is a business decision. The players involved need to do better background checks, rather than just take a credit card.  This underscores the larger theme that there's no single actor to take full responsibility for this problem. "It's a systemic problem," Davis added.

He challenged the anti-malware industry to do a better job of scanning SWF (Shockwave Flash) content to look for signs of malicious activity and called on online advertisers to partner on running background checks on advertisers.

"We should have a clearing house with information on advertisers, agencies.   Does their nameserver host match the information on the credit card?  Does that match the customer's contact information?  We need to be on top of these things."

Also see Dennis Fisher's coverage at Threatpost.