This paper has been written for a broad audience of service providers, operators of popular web properties, and other members of the Internet ecosystem that increasingly find themselves having to interact with users whose computing devices have been compromised by a botnet or malicious software.
Historically, typical industry responses to bot-infected end-user computers and devices have relied heavily on Internet Service Providers (ISPs), but recently remediation efforts have evolved to include other stakeholders and intermediaries. Today, the response to bot-infected end-user computers often includes direct interaction with members of the broader Internet community, including:
- Security vendors (including anti-virus vendors)
- Operating system providers,
- Internet web site sites (including social, financial, gaming and other interactive sites)
Two issues motivate this broader level of engagement. First, stakeholders increasingly recognize the long-term impact of malware upon their customers and online services. Second, stakeholders now have better mechanisms to detect compromised devices, provide notification, and aid in the remediation process. Research and the general consensus of the working group recognizes that notifications from trusted third parties have the potential to enhance user awareness and motivate user action, reducing the burden that formerly fell almost exclusively on ISPs.
This paper focuses on traditional computing devices (PCs, Macs, etc.), leveraging and building on the OTA Botnet Notification Best Practices white paper published in December 2012. Future documents and updates will focus on the mobile landscape, recognizing that tablets, smart phones and similar mobile devices are outpacing the growth of PCs and increasingly being targeted by cyber criminals.
For the purpose of this document, remediation is the action or set of actions required to remove malicious software from a compromised device and return it to a safe operating state. Remediation is a critical step to curb the impact of bots, though it is recognized that without tools and processes to harden the devices and prevent reinfection, bot infections will repeatedly reoccur.
Outside of the scope of this paper, but extremely important is recovery. The working group defines recovery as the steps and actions a user must take after the botnet and related malware have been removed. Recovery may include but is not limited to the process of recovering personal data, documents, account access and related information that have been compromised by the botnet. This may include router and home network reconfigurations to working with banks and commerce sites to recover lost funds and identity theft.
With this paper, we seek to arm stakeholders with remediation tools and highlight best practices in order to accelerate their deployment and usage. OTA shares this and other related best practices that can be leveraged and modified by other industry sectors. Finally, we hope to spur technology innovation and collaboration to enhance online trust and confidence, and help address unresolved challenges identified by the working group.