The benign botnet
Publication date: 28 May 2008Originally published 2007 in Atomic: Maximum Power Computing
Last modified 03-Dec-2011.
At first, botnets - centrally-controlled collections of Internet-connected virus-infected "zombie" PCs - didn't do anything very imaginative.
The bot-herders used, and still use, their countless slaves to send spam. A botnet can also swamp other people's systems with traffic - a "distributed denial of service" attack.
One other profitable but uncreative technique is to install whatever pieces of slime-dripping adware make the bot-herders the most money on every zombie PC. Or the botnet can just fake clicks on ads which the owners of the infected PCs never actually even saw.
Until recently, that was about all botnets did.
Now, though, botnets are not just sending you spam, but actually hosting the sites they're spamming about. In this "botnet hosting", the zombie that hosts the site changes from minute to minute, and the nameservers that tell your browser where the host-zombie is are, themselves, also zombies.
If you can overlook the minor detail that it's all stolen property, these botnets are the best-value distributed hosting solution ever created.
Nobody seems to have come up with a good solution to the botnet problem, yet. ISPs and governments around the world are well aware of it, but few-to-no ISPs actually take action against zombified customers. Unlike BitTorrent fiends, zombie users don't actually cost the ISP any money; the traffic to and from most zombies is pretty light, and nobody's launching any lawsuits at bot-enabling ISPs. (Yet.)
No politician is going to win many votes by making laws that force people to clean their zombie PCs, either. OK, all of the sysadmins would vote for that, but they're greatly outnumbered by the hordes of clueless users who own (physically, at least...) the zombies. I pity the ISP that cuts tens of thousands of customers off from teh intarwebs for reasons the customers can't even understand. I think that'd be a good week for the ISP to just give their whole support department a holiday.
Every time a new wave of malware sweeps across the Net, someone new comes up with the brilliant idea of a "white hat" version of the same thing.
It seems like a reasonable idea on the face of it, after all. Make your own worm, that takes advantage of the same weaknesses as the real malware - or perhaps just sits there waiting to be probed by some other worm, then lashes out. When the white-hat worm infects a new PC, it plugs the very hole it came in through, installs a bunch of other security patches, and then plays a brief patriotic song.
There are two fatal problems with the white-hat-virus idea.
One: Distributing a "friendly" virus breaks the same laws as distributing any other virus. "Breaking and decorating" - breaking into someone's house with the intention of tidying it up and improving the furniture - is still breaking into someone's house.
Two: Curing a modern malware infestation without reinstalling from scratch can be close to impossible even if you're a knowledgeable user. There's already a pretty serious arms race running between the makers of the various evil botnets, and those guys have money to pay programmers. Good luck beating them with your SourceForge project.
So I have a modest proposal: Benign botnets.
There are lots of very worthy distributed computing projects out there.
Everybody knows about SETI@Home and Folding@Home, and olde timey geeks are still running distributed.net, but there are tons of others. Climate prediction, drug modelling, cancer tissue microarray analysis - the list goes on and on.
None of these projects are interesting to botnet operators, because none of them pay their participants. But, apart from that, existing distributed projects are ideal candidates to be sneakily, and anonymously, installed behind unknowing users' backs.
Distributed computing developers already cope with networks that're unreliable, non-homogenous, insecure and variable in topology, after all. A botnet's not much worse than a normal distributed network!
Distributed-computing apps are also "slopsuckers" - they run at the lowest possible priority, so any other task gets CPU time before they do. This means their impact on the performance of a PC is barely measurable at the best of times. It's not measurable at all, if the PC's the kind of spyware cesspit that usually participates in a botnet.
There's other software that could be installed in the same way. Free anonymous data networks like Tor and Freenet haven't really taken off, because participation is entirely voluntary. Sneak Freenet and Tor nodes with small disk space and bandwidth quotas onto a million unpatched Windows boxes, though, and the Great Firewall of China would never know what hit it.
A benign botnet would still be illegal, and it would still definitely qualify as theft of resources. If nothing else, it'd be stealing electricity, by pegging CPU utilisation at 100%.
But a benign botnet really could work. It wouldn't have to try to attack the impossible task of automatically cleaning away other infections; it could just quietly install itself next to them, and consume no resources that the other infections cared about.
It wouldn't so much be breaking and decorating. More like breaking and setting up a small medical research lab in the attic.
