150 million bots
The majority of the estimated 600 million computers attached to the Internet are home computers, with no one to secure or clean them up when they become compromised. Right now, entire underground economies exist for buying and selling access to trojaned home computers for criminals to broadcast spam, flood targets offline, or just plain old keystroke capturing for bank access and credit card numbers. Criminals are crafting malware not just to infiltrate home computers, but to delete competing malware so they can have use of the box to themselves.
Yesterday Vint Cerf and other pioneers were quoted in an article by the BBC saying that 150 million of the 600 million machines are bots and the situation is an epidemic. No kidding. Botnets have been growing right along with the adoption of broadband Internet access. This is not news, of course. In 2003 when Microsoft worms were at their peak it was easy to see from server and firewall logs that most sources were broadband home computers. On the servers we manage we still see home computers sending Nimda attacks, even today in 2007. That means those machine have been compromised and performing non-stop probing of every Internet IP 24 hours a day since that worm first made headlines in 2001, and in all that time neither the computer’s owners and their ISP have noticed. Or perhaps they’ve noticed and just don’t care enough to clean off the worm.
As the money that can be gained from botnets increases, so will competition among the black hats and the lengths to which they will go to compromise boxes. Right now all the low hanging fruit are owned… all Windows 9x, 2000 and XP boxes running without a firewall, antivirus or limited accounts have been compromised… some multiple times by competing botnet herders. Now that a new version of Windows is out, expect turf wars as criminals fight to regain access to PCs home users are replacing so they can run Vista.
The discussion to be had is what to do about this mess? Home users will not clean up their machines. As anyone running an ISP knows, telling a home user their machine is compromised usually results in no action. Even if you tell them they may have keyloggers sniffing their banking passwords. Cut the user off until they take action and they just switch (or threaten to switch) to another ISP who won’t bother them.
I agree with Bruce Schneier’s recent assessment: software liability is really the only way out of this mess. Crappy software is not the only reason why information security is such a massive problem, but it is the main reason by far. Software quality simply will not improve until there is a financial incentive for software producers to do so.
Where possible it’s best to leave such pressure to the market, but to date the marketplace has failed to demand better quality. People will buy Vista not because of its alleged security improvements, but because it’s The New Cool-looking Windows and is pre-installed on the PC they’ve been waiting to buy since Christmas. Sadly, without consumer demand that leaves legislation to provide the profit motive to producers: civil liability for damages (regardless of what the EULA says), fines, even jail time when willful negligence can be proved. When the survival time of Windows XP is just 16 minutes, I think a case for negligence can be made.
Unfortunately, software liability will probably take a while. It took decades of deaths before automobile seatbelts were made mandatory in the 1960s. It took thousand being killed in building, bridge and dam collapses around the world before construction standards were developed, enforced and engineers were required to be training and licensed. Bad software security causes billions in financial loss every year, but it doesn’t kill many people. Sadly it usually takes deaths before anyone takes a risk seriously enough to act.
History is repeating itself… you can find many parallels between current software "engineering" and the early days of civil engineering. For example, this engineering disasters page references a study where the four leading causes of engineering failures are
- Insufficient knowledge: 36%
- Underestimation of influence: 16%
- Ignorance, carelessness, negligence: 14%
- Forgetfulness, error: 13%
Wow… sounds just like a breakdown of the bugs in the typical software development project, doesn’t it?
Related posts: