What's more, attacks are becoming more sophisticated and automated. The vast computational power of Google, the product of hundreds of thousands of servers, is often cited as a benchmark for distributed supercomputing. The reality is that cybercriminals could effectively run the world's most powerful supercomputer, making it trivial to conduct computationally intensive operations like generating millions of unique image spam files to evade filters or unleashing massive malware attacks.

Rand cites the MS06-040 Microsoft vulnerability, disclosed on Aug. 8, which changed the infection rate of PCs from about a quarter of a million new machines per month to a quarter of a million new machines per day in the first few days. "Those numbers are staggering," he says. "When you start to put that together with other technologies, these people have enormous, enormous computing power at their disposal."

Given their middleman role on the Internet, ISPs are in a position to help stop bots, but Rand and others say they aren't doing enough. Fact is, ISPs can make more money ignoring cybercrime than fighting it. "Their feeling is, 'Hey, it's not our problem if the user is an idiot.' And my response to that is, you can't expect my mother to be responsible for Windows XP security. Sorry, you need to take a more active role."

Richi Jennings, an analyst with messaging research firm Ferris Research, recommends that ISPs disconnect zombie PCs from the Internet until they or the user can remove the malicious software.

Is that even possible? On a small scale it is. Lariat.net, a wireless ISP serving Laramie, Wyo., offers to install freely available security software for its users. "We scan every one of their machines before we grant them network access," says Lariat owner Brett Glass. "We're not typical."

Even so, Lariat's users may end up with compromised machines. A recent round of zero-day attacks turned some machines into spam bots. But thanks to traffic monitoring, Lariat was able to identify subverted machines and fix them. "We keep the best handle on it we can," Glass says. "But most Internet users who go to the store and buy a computer are sitting ducks. If they use the computer as configured and as directed, the odds are overwhelming that they'll be infected within a few hours."

Fight Back
Telecom carrier BellSouth can't say whether bots are any worse today than in the past, but there's no doubt they're an issue. In the fourth quarter, BellSouth will start using "an industry best solution" that's in beta testing now to better understand its network usage so that it can target malicious software, says Michael Spoor, director of network infrastructure and security at BellSouth.

The company's multilayered strategy for fighting bots includes encouraging its customers to "self-protect" home PCs, including downloading a security software suite BellSouth makes available on its site or from another source. "BellSouth looks to its customers to help us help them," Spoor says.

Every day, BellSouth blocks millions of suspected spam messages from crossing its network, he says. Teams within BellSouth work on the problem of spam, bots, and viruses.

Ken Kousky, CEO of security market research firm IP3, argues that law enforcement needs to do more, too. He contends that U.S. authorities have been less than enthusiastic in their efforts to protect the porn and gambling businesses that are often threatened by criminals armed with botnets. "We've tried to find a case where law enforcement has taken a proactive effort to defend a porn site and, as far as I know, there are no instances of this," he says. "The challenge in botnets is to stop the flow of funds."

New technologies promise some relief. Trend Micro recently announced its InterCloud Security Service specifically for bot detection; IronPort sells its C10 E-mail appliance and virus outbreak filters; MX Logic this week plans to introduce a Web Defense Service to protect small and midsize businesses from malware; and Symantec and Panda Software recently released updated Internet security software packages.

But these are temporary fixes at best. Malware writers are adept at countering the countermeasures. To complicate matters, it's hard to change human nature. "The stuff we're talking about in general is caused by human error," says the SANS Institute's Paller. "The government has done essentially nothing to illuminate human error and get rid of it. The awareness training that goes on in the federal government--except at the U.S. Agency for International Development--is pretty much useless."

Not so at West Point. Computer security training, which has been part of the curriculum for six years, was the subject of a series of exercises called Carronade that ran between early 2004 and late 2005, testing the susceptibility of E-mail users to both general and targeted phishing attacks. The rate at which students fell for phishing attacks dropped from more than 50% among freshmen to less than 20% for seniors, says Lt. Col. Ronald C. Dodge Jr., associate professor in the academy's department of electrical engineering and computer science.

There's still room for improvement. In a paper detailing the West Point study, "Phishing For User Security Awareness," Dodge and co-authors Curtis Carver and Aaron Ferguson conclude, "Our students continue to disclose information that should not be disclosed to an unauthorized user and expose themselves to malicious code by opening attachments."

Paller gives the U.S. Agency for International Development high marks because it forces security training on its PC users every day as part of the logon process. Ultimately, that kind of intrusive, unavoidable insistence on security may be necessary to help bot-fighting technology do its job.

Image by Ryan Etter