14 DAY TRIAL // Three researchers from the Delft University of Technology in Holland have published a report that showcases how cleaning up after botnets takes years and is, most of the times, ignored after the threat has been stopped.
Whilst most of the focus is put on botnet mitigation and especially on the techniques used to disrupt command-and-control structures, very few security firms, ISPs, and governments actually follow up by cleaning the mess that these malicious actors leave in their wake.
Working with data from Conficker, the largest botnet ever detected, abandoned by its makers after it was sinkholed, the researchers observed that "nearly a million machines remain infected" even 6 years later.
It's easier to wait for users to migrate off XP than to watch a botnet disappear
Researchers claim that "cleanup seems even slower than the replacement of machines running Windows XP" and blame it on institutional differences and software piracy.
Observing that "peak infection levels strongly correlate with ICT development and software piracy," researchers urge software manufacturers to allow automatic updates to be performed even on non-licensed, pirated software, for the sake of security above all.
National anti-botnet initiatives just don't work
According to their paper, which will be presented at this year's USENIX conference in Washington, "national anti-botnet centers have had no visible impact" and "some ISPs may have judged the neutralized botnet an insufficient threat to merit remediation."
What these institutions seem to forget is that these infected machines have already had their guards taken down by the highly efficient Conficker and can "be magnets for other threats," like GameoverZeus, which many security firms found spanned over many of the previously infected Conficker agents.
As a conclusion, researchers urge ISPs to be actively involved in the distribution of cleanup tools, instead of pointing users to a URL, and software manufacturers to be more permissive when it comes to licensing these tools to ISPs involved in cleanup routines.