Opinion: Botnets must die

Computerworld - Dateline 2011: Today's Internet report is Green in the European Union, Yellow in North America but still Red in the Pan-Pacific countries and Israel.

In the U.S., Facebook and Twitter are still under siege from the Windows-based Katrina Storm botnet. Google, however, reports that search delays are now down to an average of three seconds. Things have gone from bad to worse in Japan and Reunified Korea, though, as attacks from former North Korean cyberwarfare units using the Windows-based MyDoom VII botnet have locked down all financial and government Web sites. That's still better than Israel, where, according to landline phone reports, attacks from the so-called Sons of Eichmann cyberterrorist group using the Windows botnet New Cyxymu have totally frozen the country's Internet access.

Sound like science fiction? I wish it were. I think it's a fair prediction of where we're going if we don't stop Windows-based botnet distributed denial-of-service attacks.

We've already seen countries like Estonia and Georgia knocked off the Internet by Russia-based hackers using botnets. Google was slowed to a crawl by a similar attack, and South Korean and U.S. business and government Web sites were hammered earlier this year. The The early-August attack on Twitter and Facebook, which stopped Twitter in its tracks and brought Facebook to its knees, was only the latest in a series of damaging DDoS attacks.

This is only going to get worse. Windows' insecurity has allowed millions of PCs to turn into soldiers in botnet armies. Most of the time, their controllers are happy to let these systems quietly churn out hundreds of millions of spam e-mails a day. Or, as in the case of the Clampi Trojan, which has infected up to a million Windows PCs, silently steal credit card information.

Now, however, botnets are being used for more than just the criminal activities of social misfits eager to make a quick buck off of naive users. They're being used to attack businesses, countries and, in the case of the attack that busted up the social networks this month, one individual, a pro-Georgia blogger.

Think about that. Every major Western social network was brought to its knees because a small group of people were ticked off at one guy.

We can't let this continue. Catching the botnet masters has proved to be close to impossible. So we're going to have to try another approach.

The only way I can see of doing it is to choke off the botnets. Since all -- I repeat all -- botnets run on poorly secured Windows systems, I think Internet service providers have to either block compromised PCs from getting to the Internet in the first place or force-feed security upgrades into them.

We already know Microsoft can't fix Windows' security problems. Every month brings yet another Patch Tuesday full of fixes for major vulnerabilities, yet Microsoft never catches up with Windows' security holes. It never will. Windows started out without network security, and every fix since Windows for Workgroups has been one patch on top of another, right through to Windows 7.

We also know education won't do the job. Anyone with a higher-than-room-temperature IQ already has security software and keeps up to date with patches. Let's be kind and assume that 90% of the Windows-using population does this. That leaves, what, about 100 million Windows PCs in the world available for botnet deployment?

Yuck! I don't like those odds!

No, the only solution is for ISPs to start checking Windows PCs in at the Internet gate, and if they don't pass a minimum security check, we don't allow them in. If an ISP doesn't join up with this posse, cut it off from the rest of the Internet. This really is a case where if you're not part of the solution, you're part of the problem.

Don't like it? Tough. It's either that or we're all going to get stuck with an Internet that's tied into knots by 2011.

Steven J. Vaughan-Nichols has been writing about technology and the business of technology since CP/M-80 was cutting-edge and 300bit/sec. was a fast Internet connection -- and we liked it! He can be reached at sjvn@vna1.com.

Read more about security in Computerworld's Security Knowledge Center.