Monday, June 09, 2008

Using Market Forces to Disrupt Botnets

There's never been a shortage of radical approaches for disrupting the most successful botnets, but a surplus of ethics on behalf on researchers as well as a lack of an internationally implemented legislation on who, how and when should be given a mandate to do so.

Basically, country A doesn't really want country B's security researchers messing up with the infected hosts in the country citing cyber espionage fears, despite that the researchers' intentions remain purely the result of their capabilities to make an impact. And self-regulation in times when the average Internet user wants her Web 2.0 experience, and doesn't really feel comfortable trying to understand what the latest SQL injection has to do with, is so unpragmatic that it makes me wonder why is everyone so obsessed in trying to measure how many PCs are malware infected out of a given number. In reality, what should be measured in order to emphasize on the degree of which malware introduced by multiple parties is managing to infect a PC, is with how many different instances of malware is a single PCs infected in a particular moment of time. Now, go perform a forensics audit on a PC which on behalf of the over ten different pieces of malware, is responsible for fraudulent Ebanking transactions, hosting of phishing pages, participating in fast-flux networks that were once serving scams and the next time live exploit URLs, a daily reality for a countless number of forensics experts.

How could market forces be used to disrupt botnets anyway, and how relevant would this approach be in a real-life situation? As every other underground market propostion, buying botnets is no different than buying stolen credit cards, as long as your have multiple propositions to take into consideration, where the price ranges often vary over 100% between the offers. With the increasing supply of botnets for sale, and degree of price differentiation, a certain country can easily buy direct access to request a botnet on demand with infected hosts within the country only and do whatever they want with them - in this case perhaps fortify and patch the host, upon forwarding it to the several online malware scanners to ensure they won't have to rebuy access to it again. Security radicalization like in this case, is an often misinterpreted term which when applied in a free market economy can ruin a lot of, perhaps, broken business models, but will also contribute to the development of new market segments. Hand me the botnet menu, please :

For instance, 1000 bots go for $25 bucks, there are however propositions offering 10,000 bots for $50 bucks, theoretically, as there's always the suspicion that they won't deliver the goods and you'll end up with a situation where scammers scam the scammers, for $1000 you can buy a 100k infected PCs, and for another $100,000 a million infected PCs. So what? Well, establishing a task force to periodically purchase already infected PCs and disinfecting them, of course, in a opt-in fashion on behalf of the end users in order to please the paper tigers, stating that if their government can magically help them fight malware, they're interested, is one of the many ways market forces could be used to directly mess up with the oversupply of botnets for sale.

The question is perhaps not how realistic this is since both the service and the direct contact approach are there, but how important such a perspective is for anything cybercrime at the bottom line, since cybercrime has long stopped increasing, it's basically reaching a stage beyond efficiency and turning into an easily outsourceable process, with the lowest entry barriers to participate in it ever.

No comments:

Post a Comment