The Biggest Botnet in the World

The Biggest Botnet in the World

You may have seen the news about the bot masters in Spain who were arrested. Defense Intelligence http://defintel.com/docs/Mariposa_Analysis.pdf dubbed this Mariposa botnet. It is claimed that this botnet had the power to perform much stronger attacks than what Estonia witnessed a couple of years ago.  Still, this botnet is dwarfed by the largest botnet in

You may have seen the news about the bot masters in Spain who were arrested. Defense Intelligence http://defintel.com/docs/Mariposa_Analysis.pdf dubbed this Mariposa botnet. It is claimed that this botnet had the power to perform much stronger attacks than what Estonia witnessed a couple of years ago.  Still, this botnet is dwarfed by the largest botnet in

You may have seen the news about the bot masters in Spain who were arrested. Defense Intelligence http://defintel.com/docs/Mariposa_Analysis.pdf dubbed this Mariposa botnet. It is claimed that this botnet had the power to perform much stronger attacks than what Estonia witnessed a couple of years ago.  Still, this botnet is dwarfed by the largest botnet in the world.

The largest botnet in the world is comprised of computers running Microsoft Update and Microsoft controls this botnet. Yes, this really is a botnet. Don’t confuse the term botnet with the requirement that it send spam, steal information, or attack other computers. A bot is an automated program and a botnet is a group of computer with an automated program that is controlled by the same entity. Microsoft controls what Microsoft Update does.  If Microsoft wants to install a piece of software that is completely useless to all customers with legal software, they simply call an anti-piracy program a critical update and all of the Microsoft Update bots obediently download and run the program. If Microsoft wanted to it could make all computers running Microsoft Update send spam, attack other computers, upload documents, and so forth.

Here is where it really gets interesting to me. A day ago at RSA, Microsoft’s Scott Charney, the Corporate Vice President for Trustworthy Computing, suggested a net tax to help clean up the net. In his talk, Charney is quoted as saying “When a computer user allows malware to run on his computer, "you're not just accepting it for yourself, you're contaminating everyone around you,”.

Oftentimes it isn’t the user who allowed malware to run, it is Windows autorun that prevented the user from having a chance to say no to malware. The most prevalent threats we see, including conficker, make use of autorun because it is known to be such an effective infection vector. With Windows 7 Microsoft changed autorun so that it no longer works with most USB devices. Even though the change does not go far enough, it is not insignificant. The problem is that most people don’t know that there are patches available for Windows Vista and Windows XP. These operating systems have a much larger market share than does Windows 7.

Come on Mr. Charney, Windows Genuine Advantage and Windows Activation Technologies do nothing to protect the average user, but disabling autorun would help neuter many of the prevalent threats and shut down an automated infection vector. It is long past time for Microsoft to put that botnet they control to effective use in eliminating the vulnerable-by-design autorun functionality present in Windows 95, Windows Me, Windows NT, Windows 2000, Windows XP and Windows Vista.

As long as Microsoft is the deliberate enabler of malware that a user does not choose to run, I really don’t think Microsoft can credibly accuse users of “allowing malware to run on their computer.”

I appreciate the remarkable and laudable security progress Microsoft has made, but before you, Mr. Charney, ask users to swallow a tax or fee for bot clean up, bite the bullet and clean up the autorun infection vector.

Update… I checked with our virus lab, and it appears that close to 30% of the malware out there is using autorun as one potential infection vector. There recently discovered Zimuse worm only spreads via autorun. My friend and colleague blogged about Zimuse at http://www.eset.com/threat-center/blog/2010/01/22/bemused-by-zimuse-dis-is-not-one-half and http://www.eset.com/threat-center/blog/2010/01/22/we-are-not-zimused-a-few-updates.

Randy Abrams
Director of Technical Education

Discussion