Operation Bot Roast: Too little too late
* Ryan Naraine is on vacation.
Guest Editorial by Dr Jose Nazario
This kind of large-scale effort has yielded results in the past. Look at the case of Robert Soloway, a spammer recently indicted after a very well run investigation. This kind of investigation has been dramatically helped through a partnership between the private sector of anti-spam people like Spamhaus and legal authorities. But still we suffer from spam in our inboxes, as much as ever before. With Soloway gone, there's many more who want to take his place.
Spam and malware isn't just an annoyance, as discussed in this NYTimes article. Botnets, and any large scale issue on the Internet, can lead to real-world problems for everyone, directly connected or not. So, we have to do something, and in the meantime, Bot Roast is a good first step, but it's far from sufficient. It still takes dozens of people working for months to bring a single case to indictment; at that rate we'll always be outpaced when dealing with this problem. The bad guys know this.
[ SEE: Operation 'Bot Roast' nets million-strong botnet operation ]
The problem with an effort like Operation Bot Roast isn't that it's too little, too late. It's that such an operation is better geared at a more structured adversary, such as organized crime or the drug trade. There the hierarchical gating to entry and control means that large efforts like Bot Roast can, and will, yield real results against an adversary. However, botnet operators are not nearly as well organized as La Cosa Nostra or the Cali Cartel, where the axiom from the 1971 film "The Incredible Two-Headed Transplant" holds true, "kill the head and the body will die!" Online crime is more like dealing with insects and rats: kill one and others will fill its place.
Similar to the economics of the corner dope dealer (as covered in Freakonomics), there's no shortage of people who aspire to be the "top dog" and make all the money, although most fail to do so. However, unlike the corner dope dealer, there's no limiting element with a botnet or malware.
The widespread availability of the criminal asset -- malware -- means that all you need is some basic interest to start. You don't even need to know how to write software.
The financial gains to be made with a botnet through adware, ID theft, and spyware are so lucrative, and the penalties are so uncommon, that there's no shortage of people who are willing to venture into the dark underground and try their hand. And for those who want to get involved with a botnet of their very own, they can easily find source code and assistance to help them get off the ground. In short, there's no shortage of people willing, able, and motivated to become the next botnet master.
Given that the penalties, both real and likely to occur, will fail to dissuade people from launching bots onto the open Internet, we have to think about other mechanisms at shutting down online crime. One key tactic to slowing down the explosive botnet growth that we've witnessed in the past few years is to make the incentives far less attractive and more difficult to use.
The E-Gold indictment is one such example of how to do this. By cutting off a popular point for money laundering, the authorities have begun to make the lives of criminals harder. This wont just have an effect on botnets but on all online crime, including eBay fraud and theft, ID theft, malware-based fraud and theft, and the like.
Besides, everyone knows that nothing really dies on the Internet. Witness Blaster still active after several years. All those bots still roaming around, and the persistence of malware. Perhaps we should enlist all of these criminals, once convicted, in door-to-door cleanup of infected machines.
* Dr Jose Nazario tracks botnets for a living. He is a senior security researcher at Arbor Networks.