Gunter Ollmann's recent post at The Day Before Zero considers three parties affected by the Microsoft-instigated takedown of Rustock. The first, most obviously affected and least sympathetic party is the Rustock crew. They were the targeted, owned, and their revenue has been disrupted. It's nice that life sucks for them for a while. The second is the large numbers of botnet victims. They remain infected and Ollmann believes they need help with remediation. The last is the organizations totally unaffiliated with the Rustock botnet who had their hosting facilities shut down or confiscated. Depending on their degree of preparedness, they may be in a tight fix.
Gunter's article is thought-provoking, and here are my thoughts.
What should be done with the botnet victims?
Most if not all of the victims are still infected. Remediation is clearly desirable, and Ollmann believes someone should help them. This is an admirable, nurturing recommendation. But let's check our history books. The security community distributed security updates, posted removal instructions, and raised awareness through education and training for Conficker yet the infection rate remained high. Whether malware writers are too agile or users too apathetic, mitigation is a necessary but clearly not sufficient way forward. Perhaps it's time to discuss at national levels whether ISPs should block or quarantine infected systems using techniques similar to network admission control. Perhaps it's also time to take a hard look at EULAs.
This may seem Draconian to some, but remember that infected hosts cause harm to others. Perhaps Rustock offers an opportunity to consider whether we've reached a tipping point. In the real world, we set expectations and in some cases, regulations, for basic hygeine. We expect everyone to wash hands before dining or preparing food. Is it so wrong to think acknowledge that we need (to enforce) the same safeguards against contagions before we connect to the Internet?
What about the organizations whose hosting was interrupted?
Ollmann points out that companies unfortunately collocated on the same infrastructure as Rustock may also be temporarily out of business. This is indeed unfortunate and whether these organizations are suffering or not, the business continuity lessons they should learn include the following.
1. If your organization relies on third party web hosting or other hosted services (e.g., mail, DNS), routinely archive all the data, scripts, and configuration information you would need to restore that service should the provider suffer an outage or disruption.
2. Have an alternate (backup) hosting provider ready. For small businesses, temporary sanctuary at a free hosting account associated with a domain name registrar or consumer hosting provider like Google is a lot better than "offline". For larger organizations, consider having secondary hosting providers for all your services (hotstaged, mirrored, or available on demand).
3. If your organization hosts sensitive data on third party web hosting or other hosted services, give serious consideration to encrypting sensitive data at rest at those hosting sites.
The last but most important lesson for these and every organization is
4. Don't put yourself in the position of being unfortunately collocated. Visit the neighborhood before you move in. Rod Rasmussen and I wrote about a similarly important hosting consideration in an APWG report on subdomain phishing. Before you host your brand and content, check out your provider.