Digital vaccine needed to fight botnets
The equivalent of a government-backed vaccination scheme is needed to clean up the huge numbers of PCs hijacked by cyber criminals, suggests research.
In Europe, about 5-10% of PCs on broadband net links were hijacked and part of a botnet in 2009, it suggests.
ISPs are key to wresting control of these machines away from criminals, says the Dutch report.
Initiatives in Germany and Australia show how official help can boost efforts to clean up infected machines.
The survey of botnet numbers was carried out in an attempt to understand the scale of the problem and reveal the forces influencing how many PCs on a particular network are hijacked.
Botnets are typically networks of home computers that malicious hackers have managed to hijack by tricking their owners into opening a virus-laden e-mail or visiting a booby-trapped website.
They are then commonly used to pump out spam and attack websites.
The team drew up its results by analysing a pool of 170 million unique IP addresses culled from a spam trap that amassed more than 109 billion junk mail messages between 2005 and 2009.
With 80-90% of all spam being routed through hijacked PCs these IP addresses were a good guide to where infected machines were located, said Professor Michel Van Eeten from the Delft University of Technology who lead the OECD-backed research.
Analysis of this huge corpus of data showed that about 50 ISPs were harbouring around half of all infected machines worldwide. Confirmation of this finding came from other non-spam sources - the 169 million IP addresses that were part of the Conficker botnet and 130 million IP addresses collected by net security watchdog SANS.
The numbers of machines on these networks varied widely, said Professor Van Eeten, but infected rates on individual networks were quite stable over time relative to each other.
What was also clear from the research, he said, was that ISPs were not going to be able to clean up the large numbers of infected machines without some kind of central aid. In Holland, ISPs have dramatically increased their efforts but are still only cleaning up about 10% of infected machines.
At the moment, he said, two bottlenecks were preventing ISPs doing more to clean up machines.
The first, he said, was the lack of comprehensive data about the numbers and location of infected machines.
An initiative by the Australian government to pool data on infections and provide it to the nation's ISPs showed how this could be overcome, said Prof Van Eeten.
"The second bottleneck is that it costs money to notify customers and get them to clean up their machine," he said.
"An incoming call is very costly especially as those kinds of calls need experts," he said. "ISPs can completely lose their profit margin on a customer like that."
South Korean and Germany had tackled this problem, he said, by setting up national call centres to which ISPs can refer infected customers where they can get advice about disinfecting their machine. The call centres are publicly funded - though Germany will only pay for its centres temporarily.
"Governments can be very helpful," he said.
Prof Van Eeten said the numbers and prevalence of botnets suggests we should perhaps see them as the modern-day equivalent of the epidemics that struck in Victorian times and prompted the creation of government-backed vaccination schemes.
A similar system delivering a digital vaccine might again be part of the solution, he said.