Tallinn, Estonia -- Eight months after it started spreading, the Conficker worm remains on hundreds of thousands, if not millions, of computer systems. While the furor over the worm has died down, worries over the capabilities of the sleeper botnet continue to concern cybersecurity experts.
The call to do something about the latent threat is growing louder. This week, two German researchers -- Felix Leder and Tillmann Werner, PhD students at the University of Bonn -- advocated attacking back at the botnet, before it's used for another purpose.
"Most counter measures nowadays are reactive, you wait for an attack to happen, and then you take the countermeasure," Werner said at the Conference on Cyber Warfare, an event held by the Cooperative Cyber Defence Centre of Excellence in Tallin. "We need something that will stop the attack in advance."
The two students are well known among security researchers. In March, they discovered a way to detect Conficker-infected machines using network scanning, a method that allowed defenders to detect and remove a large number of compromised hosts. In their latest research, Leder and Werner have focused on four sophisticated botnets -- Conficker, Waledac, Storm and Kraken -- and claim that they have learned enough about each one to successfully attack, and dismantle, the malicious networks.
See also: What a Botnet Looks Like
"We could do disinfection like an outbreak," Leder told attendees.
The concept, which brings to mind past calls for "good worms" to combat fast spreading infections, is resonating with cyber policy experts and military strategists, many of whom want to draft rules for the use of pre-emptive cyber attacks against potential threats -- whether it's a botnet, online criminal gang or nation-state.
Two U.S. government officials attending the Conference on Cyber Warfare argued that the United States, for one, needs to start making the hard policy decisions that would allow for offensive tactics in cyberspace. Both officials asked that their names and organizations not be used so they could talk freely.
It's logical to assume that the United States, and other countries that actively pursue cyber offense, would have capabilities at least as good as the attacks of cyber criminals, said Herbert S. Lin, study director for the National Research Council's Committee on Offensive Information Warfare.
"We seem to be developing cyber capabilities to improve our overall military posture," Lin said. "Sometimes you have to take the offense to defend."
While the policy surrounding cyber attack capabilities is still nascent, such technologies would give more choices to policymakers, Lin and others on the Committee on Offensive Information Warfare state in a report that will be published later this year by the National Academies Press.
"The availability of cyberattack technologies for national purposes greatly expands the range of options available to U.S. policy makers as well as to policy makers in other nations," the report states.
One option: If nations develop an overwhelming cyber attack capability, it could result in a digital version of nuclear detente, argued Amit Sharma, a scientist with the Defence Research and Development Organization at India's Ministry of Defence. If nations cannot agree by treaty to limit use of cyber attacks, a doctrine similar to the Mutually Assured Destruction of the nuclear theater could deter attacks, Sharma told attendees at the Conference on Cyber Warfare.
"You can talk endlessly about the law of armed conflict, but a treaty would not be achieved," he said. "The only viable solution is one of cyber deterrence."
See also: Cyber Conflict - The Modern Gold Rush
Not everyone at the conference agreed. In a presentation on what can be learned by the different analogies used for cyber attacks, Ned Moran, a consultant with Booz Allen Hamilton, argued that each analogy has considerable weaknesses. While a massive cyber attack that takes down large portions of the Internet and causes devastation among data could be similar to a nuclear attack, ongoing cyber espionage more closely resembles a Cold War analogy, he said.
"No single analogy tells the whole story," Moran said, adding that focusing on the wrong analogy has often led political leaders to make bad policy.
Moreover, the nuclear analogy has another major stumbling block: Deterrence is difficult when you cannot determine who is behind an attack in cyberspace.
Nart Villeneuve, a researcher with the Information Warfare Monitor, spent months tracking sensitive computers that were compromised in a manner that seemed to point to the People's Republic of China as the culprit, but in his presentation at the conference, he underscored that other explanations are possible.
"The obvious elephant in the room is that these are ... targets collected by China for intelligence purposes," Villeneuve said. "All the targets were were able to identify had some value (to China). But there are other explanations. The distribution could be completely random. ... Or this could be a total setup. Someone trying to make use of the fact that there is already this frame of reference of attacks emanating from China to disguise their activities. If I was going to attack a third country, I would probably do it through China."
Yet, the issues with attributing attacks are not insurmountable, said the NRC's Lin.
"Lets say we are the victim of a cyber attack that kills our electric grid," he said. "Everyone who does forensics on the system will say they can't tell who did it. But say that you had a spy in the president of Elbonia's office, and he tells you that they attacked us. You now have evidence of a crime."
"Most people, when they say that attribution is impossible -- they are talking about technical attribution," Lin said.
Unless the attribution problem can be solved, defenders will have to settle for attacking back at the compromised systems used by opponents. Yet, even that worries policy makers.
Only in the best case would defenders actually strike back at a system owned by the aggressor. Almost every time, defenders will find themselves attacking the compromised computer of an innocent person. Even if the "attack" is actually a software patch or a program to remove the malicious code, something could go wrong. With actual cases of bot software infecting the computers that handle critical data or control medical systems or critical infrastructure, the fear is that patching the system could cause the machine to crash.
It's those legal and liability concerns that have prevented researchers, such as Leder and Werner from the University of Bonn, from trying to take pre-emptive action against botnets. However, the researchers argue that the concern is misplaced.
"In reality, we have seen malware on medical devices that has stopped those devices from working," Leder said. "So there is actually a real threat that malware might kill people in the future. It hasn't happened now, but it might be in the future. So, doing proactive countermeasures could prevent some of those situations."
With Conficker sitting on a large number of computers, the time to act is now, the researchers argued.
"Do nothing until we get attacked? Obviously that is not an option," said Werner.