[Infowarrior] - Spyware, the FBI, and The Failure of ISPs

Thu Jun 9 06:57:03 CDT 2011

(c/o MS)

Spyware, the FBI, and The Failure of ISPs
ARTICLE DATE:  06.01.11
By  John C. Dvorak
http://www.pcmag.com/print_article2/0,1217,a=264949,00.asp?hidPrint=true

Operation Adeona, it was called. It involved the FBI. Spyware. Intrigue. Controversy. The FBI took it upon itself to attack one of the miserable botnets that plagues the Internet to figure out how to intercept its "calling home function." And essentially it ended up giving it new and less destructive instructions. Let me try to explain.

Botnets generally consist of thousands of infected computers that have some specific piece of malware installed. Your computer at home may be one of them. The malicious code is usually in the form of a Trojan Horse that was planted by a Web site or some  code you mistakenly clicked on. Once installed on your computer it doesn't really do much until called into action.

The idea nowadays is to inhabit your machine for nefarious purposes including mailing spam from your account, pinging a target computer to harass someone, or even to do odd sorts of market research. Most of the time these infected machines do their dirty work after hours and seldom during the day when an observant owner might spot the dubious activity.

It is a public nuisance. I cannot emphasize enough how people should run some good scanners to ferret out these programs. Millions of machines are infected.

Anyway, so the FBI decided to counterattack one of the major botnets called Coreflood, which is used to loot bank accounts. The FBI was to replace the servers communicating with infected Coreflood machines with its own servers, and also to disable the Coreflood malware on the infected machines. This process seems to have gonewell and the botnet was mostly silenced and had no way of getting any more nefarious instructions, rendering it useless. The problem is that the code is still on the machines. Now it gets dicey.

Is the FBI Going Too Far?
The FBI wants to take things a step further and let the code phone home to get an instruction to remove itself from the infected machines. In other words, it wants to have each personal computer erase code without the permission of its owner. Thus a controversy is now brewing.

Privacy advocates see this as the beginning of the end insofar as government interference with private PCs goes. It would be pretty effortless to snoop on personal machines and perhaps find illegal MP3 files or fake copies of Windows or whatever. Then the government could erase the copies or have you arrested or disable your machine completely. These are justified fears, but I do not see any of this current process actually leading to that.

In this instance the FBI appears to have been quite careful about everything and is showing no signs of being the camel head in the tent. I'd love to see the FBI uninstall these Trojans from any machine that would accept the uninstall code. There is a fear that doing this might damage some machines somehow. Perhaps the uninstall would take place while the machine was being used and a disk access was affected by the uninstall and important data was lost. There are a lot of possibilities and most are bad.

But the FBI is collecting the ping information from the machines, and some people hope that the Agency could work with ISPs and tell the specific owners of the machines that their machine is infected and they need to take action. This idea is the most reasonable approach as far as I'm concerned.

The Role ISPs Should Be Playing

But here is the element missing from the whole mess: None of this should be necessary. ISPs should be monitoring their networks themselves and looking for botnets everywhere.

I had a machine once that was infected and sending out millions of pings while I chatted with tech support. I ran a virus scanner and found some Trojan; I erased it, and the machine was great after that.

The tech support guy saw the machine was doing this and reported it to me. Why can't all the ISPs routinely look at the activity on the network and use deep-packet sniffing to find these infected machines and tell the customer in the first place? How hard can it be? It's believed they can deep-sniff a Skype call, why not find these bots? After all, it would save bandwidth and be a benefit to everyone.

I have no objection to the FBI trying to fix the problem, but the problem probably wouldn't exist if ISPs did more for their customers than merely collect money.