Botnet cleanup is a problem for ISPs

"The biggest problem we have is getting ISPs and hosting providers to do a better job at taking down these networks once we report them," Lutz says. "Often the service providers just give you an e-mail bin to send complaints to, and you never know if they act upon them. We have the same problem when contacting law enforcement, which is particularly difficult outside the US."

Botnet cleanup is a big challenge for service providers, adds Danny McPherson, chief research officer for Arbor Networks. In September, Arbor conducted a survey of 52 Internet backbone and service providers, 43 percent of whom said they felt unable to deal with the botnet problem.

"You've got to find the compromised Web sites, which can only be measured by looking for spam relays running on the Web servers or by monitoring certain ports," McPherson says. "And when hosting providers do find a hosted site running some form of malware installers, they'll have to be able to shut down just that site without affecting other customers. Right now, they think they have to pull the plug on the whole server."

With 12 million domain name registrants, GoDaddy employs seven abuse investigators to handle an average of 5000 abuse complaints daily. Butler says the team looks at each complaint and correlates the information in order to turn off purposefully criminal Web sites and to help owners of infected sites clean and patch their applications.

"The truth of the matter is that not everyone who puts up a Web site is a security genius," Butler says. "So we do a lot of work on user education."

Forensics support and education are a start. What's missing is a serious discussion about hosting providers assuming security responsibility over the applications hosted on their customer Web sites, Keller says.

Service providers caught in the middle

But putting this burden on the hosting service providers opens a whole can of worms the industry's not ready for, Butler says. Patch management alone would be a huge effort. And how do you standardize, control and support the applications among millions of users? Not to mention putting service providers in the uncomfortable position of being liable for customer computer support, he adds.

These are the same reasons e-businesses with brands to protect aren't taking care of their part of the problem by checking the integrity of their customer computers at log-in.

In the past year, Panda, Symantec and most other leading antimalware vendors have released remote services capable of quickly scanning consumer PCs for basic security, patch configurations and even commonly known viruses.

"There's always other support issues wherein perception becomes the reality and someone calls and says, 'Did you break my computer?'" Keller says. "And there's also the perception among consumers that this is invasive."

Guest integrity checking is the most viable way of stopping automated phishing attacks, according to Symantec CEO John Thompson during a keynote address at RSA in February. Rather than being seen as invasive, Thompson says that helping consumers with their security builds better brand-to-consumer relationships.

Companies considering such technologies should look to products that are vendor neutral, meaning they can check any brand of firewall, anti-malware technology, and all leading operating systems and browsers for patch and security configuration.

That's because, in the last year, Shadowserver and other researchers have found bot-controlled Linux and Mac OS/X systems. According to CERT and other security analysts, keylogger installs have occurred on handhelds in Europe and Asia, where telephone computing is popular.