 Morning. My name is Rick Wesson and I'm here to talk about abuse and the global infection rate and I know that I was hungover and didn't get up until noon yesterday So I expect it to be pretty light. We'll take questions at the end and We're probably gonna give away a few beers to just help everybody out if you're hungover the best way to do it It's just start again what I'm gonna talk about today is We're gonna go over the problem a definition of what abuse is a definition of what bots are Is that better can I get a little volume? Good everybody hear me in the back. Is there anyone in the back? We're gonna go over the anatomy of a botnet. What does it do? What's it look like? I'm gonna give you one. We're gonna have a little contest to see who can either take it down or own it We're gonna look at how botnets affect corporations and then we're gonna take it back up to 30,000 feet and look at What the internet looks like at a global scope and in economic terms how this affects us and Then we're gonna hopefully conclude with how we fight this problem But it's been a long fight and we haven't been successful So the problem is it's really difficult to understand when your network is Compromised or when some of the hosts on your network are compromised and they're affecting other networks It usually involves other networks because if your network is abusing your own network You know about it. You see the traffic. I don't know about it But when your network is abusing other networks that I hear about I see it and I can record it And I can tell you about it and I can tell other people about it The numbers are really starting to get out of hand We're talking about millions of nodes in a week new nodes every week getting compromised and The numbers are starting to get so significant that people are saying one out of five hosts that are live on the internet at any given point are Compromised that's a huge number And so essentially, how do we unfuck this because it's fucking up the internet. It's messing in my network and yours And so the first thing that we're gonna we're gonna look at is What what is the scope of abuse? What is The things that we think are bad or affecting other networks in a malicious way So obviously sending spam Ucee hosting open proxies. We're having open proxies pop up all the time Which are used sometimes for click fraud sometimes for sending spam Certainly used for distributed dial denial of service or abusing IRC in other ways Hosting botnet command and control servers moving those command and control servers around rapidly BGP right route hijacking when you hijack a route that has some corporate identity and Abuse that or leverage it to to send or deliver some information Under their identity Hosting splogs are manipulating links link rank and hosting insecure web servers so what is Incentivizing people to create these networks and abuse other people's networks. There's an economic incentive here and Essentially as if we look at the revenue that you can derive from a botnet or how much it costs to deploy one then we can We can understand if These two overlap the revenue that you can derive from sending spam Which is high right now and the cost to deploy a botnet which is low and these are inversely proportional to each other It creates an incentive where these two lines in These slide overlap on the left and that's the incentive to continue to create new Networks to abuse other people's networks to deliver malicious activity Because the cost to deploy it is so low and the revenue that you can derive from it There's always going to be incentive as long as these two lines overlap Our job is to make these lines move apart and hopefully in a few years We'll be able to move the revenue that you can derive from sending spam or click fraud lower and The cost to deploy a botnet higher Make it harder for them to be deployed make them live less long So once we can move these two lines further apart actually we can separate and make sure that there's no Overlap that there is a gap between them. That's our incentive and today What I'm going to try and put is a number on this incentive on both sides of the map So that you can understand in economic terms what these are to the US population to businesses individuals So let's let's actually dig into a botnet You're gonna get one in a few minutes. It's been live for I think somewhere around 90 days We've I've actually requested people to kill it. I've sent information to the registrar that hosts it And I'd really love to see if somebody could take it out by the time I get off stage or own it And if you can I'll give you a beer a good beer, which is hard to find in this town I had to bring it from San Francisco so Let's take a look at this botnet. We're gonna look at its controller capabilities We're gonna look at the the proxies that it offers. It has a nice little web controller front-end There's commands that you can make it do different things FTP stuff we're gonna look at the the drop file that it creates this happens to be a key logging botnet and Who what and where got compromised this should be really interesting both for the corporations and people that are interested in porn and See if somebody can own it or kill it by the time I get off stage So this is the controller and for the people in the front of the room You can see the domain name here and for the people in the back It's yops y o p s dot biz slash UK is the controller and the drop file So everything that I'm telling you here you can go and vet until somebody takes it out This is the view that you see when you log in. There's no password protection. You can You can If you have wireless you can go to it right now So on the left it has the IP addresses the ports for the socks proxy this ID String in the center, which I'll show you what it's for in a minute And then if you look there's also the country in the city and state and if it's connected and the city and state So they they've got some nice geo IP going on here Here's some more you can see that they're from Canada Belgium United States, which is in her in Virginia Princeton and what this is valuable for is for understanding if you need to send a click and that click needs to go from Princeton Or you need to go do a transaction From some of the information we've captured out of the drops file You can make that appear as though it's from that geographic area by using these various Identity keys that are in the the middle of your screen It has a lot of other capabilities that you can exploit you can upload files You can FTP something from another file. You can HTTP get something From any particular machine in this network and have it execute that file or you can have all of them do it at once You can upload host file So if you'd rather everyone's clicks to any you know pick your your company or domain You can have all of those hosts then send it to the IP address by By manipulating the host file on each one of the machines, so probably not new not news for a lot of people here Do they send spam certainly using the the machine identifier two URLs one for the message body one for that where you're gonna spam Fill out the form send it off Everything goes and does the bidding for you Pretty nice web front-end for a botnet Like I said, it's a key logging botnet and It it logs data This is one little picture one one of the data drops there We go through in detail what each section is first the remote address So if you look this happens to be one of AOL's outbound proxies Fortunately they copyrighted this stuff so it's a smash by SARS The IP address so the the 10 net internal address of the host they all happen to be a internet explorer The next two lines are the gentleman's Password and user ID for his pop mail account the next couple of lines this key logging botnet liked anything that had HTTPS in it or HTTP that had a User ID and password in it so if it had a password field it was gonna get captured it was gonna get put in this little drop thing and After it had accumulated enough of them it would send it up to the command and control server where you can download this file And you can see the third Thing that this guy went to the third URL was McAfee so if you go to the first one you'll get about a hundred pop-up and And It was pretty obvious to even to him that he'd gotten owned and needed to go do something about it Of course the guy is littered through the file. Nothing ever helped him So if we drill down actually into the drop file, we reviewed 30 days of data Like I said, it's it's been around for 1690 days So at the time that we reviewed it. It was about 80 megabytes. I think it's like 211 last time I looked and In that 30 days we had 793 uniquely infected systems With 17,000 data captures from those so it was it was sending up multiple data captures per host and In those data captures were multiple form logs. We got 35,000 Form logs from this is a small bottom. This is like 200 hosts online At any time 100% of them were Microsoft Windows It would capture passwords for pop I map tell that HTTPS posts form data And then it would do regexes through the file system and if it found anything it would add that to the data drop and Send it up to the command and controls server So we're gonna compromised out of all this stuff We're able to collect 54,000 logging credentials That's a lot of those 281 unique credit card numbers and that was just what we could easily identify We got Over 2,000 email addresses of your friends and family So this would go down through the file system look for email addresses look through your address book pull them out Send them up and then we can collect and send spam from those even from your house 299 identities which is names addresses and phone numbers and if I had written some better Analyzers like actually gone through a lot more of the HTTP URL encoded data I could have extracted a lot more There were posts in there for Credit card applications for college loans for home mortgages anything that we consider e-commerce today This botnet is an example of what's being collected and if you have a company that hosts Some service that's available over HTTPS some portion of your clients that have logins into that system are being compromised No matter whether this stuff is SSL encrypted or not it is being captured. It's being captured before it even hits the liar So what companies got affected? We looked at all the URLs that were able to identify that had passwords that we could use we had user IDs and passwords Essentially logins and the companies are all over the map You probably know every one of these except for the pay tax dot Nat dot gov dot TW or us that army mill I didn't even go touch that one But we've got everything Walmart speed pay eBay Verizon Passport Craigslist MSN Capital one everything that you can think of so there were 1200 businesses approximately 35 brokerages 86 bank accounts 174 e-commerce accounts. This was just for the 30 days that we looked at it Haven't gone to see if the decent numbers have doubled 863 porn accounts if you like porn just go pick up the drop file There's plenty of it there. You'll never need another porn account 245 email addresses that were unique that were in different posts. So if we want to value this stuff One thing that we found was to look at how much could we sell these accounts for or how much are they being bought for? And so if you have a brokerage account The this is just one line items out of the whole file a brokerage account, which we identified 35 Figured that we were able to find $40 Someone would buy them from us for $40 apiece if they had less than $3,000 if they had more than $70,000 So we needed to go log in figure out how much money they had Build a little set for sale and we could have made averaging almost $2,500 So there's value even in a small botnet one of the other things that we do is we capture identities And this is outside of the the botnet, but support intelligence the company that I work for Is able to intercept a certain amount of identities that are being bought and sold? And so there's an economy between people that are capturing identities and selling them and We've verified a number of these identities by well first notifying VC USA and the FBI FTC some reporters We were kind of getting a little slow with all those people. We didn't feel like they were really reacting So we we tried to notify the victims we were seeing them in the botnets We were seeing them when we intercepted them And we realized that at the end of each one of these is an individual And so we thought we'd call some of them and see how they felt about all these things And so when we when we first started calling them we gave them their name and Birthday and their mother's maiden name their social security number credit card number and they They wouldn't tell us anything But I made a few mistakes and I want to share one of them with you I made a couple of phone calls and There wasn't nobody picked up and so I thought I'd leave a message the message went like this Last name Milford social security number 267 18 64 94 69 plus your palace Lane Sacramento, California mother maiden name Lewis visa four five eight three two four six eight nine one eight five Four one six two Expires 1107 security code 102 this identity has been compromised and I Left work is at the end of the day Next day I come in I've got like 47 missed phone calls and so I Waited around. I knew the guy would call back. He called 47 times the last two hours Phone rings pick it up. Okay. I says I want to talk to your manager. Okay. Hold on a second Hello, I Want to talk to your owner. I own the business. He's like, what are you doing leave a message on my phone? Who are you? And I I said we're we're working with the security and he didn't give me that next thing. I'm he's gonna call the FBI He's gonna call the cops. I wanted to tell him which agents we were working with but the guy was so livid And he happened to be a police officer. He was ready to come over to San Francisco and arrest me Even though he was in Milwaukee or something like that So the victims are highly pissed when we can tell them all about them We had another one where we were we identified Identity we saw it come across the wire called the Person up actually ended up with the mother on the phone And she said she had just registered bought something for her son off of a website and that was it was her son's name It wasn't her name that we had seen and that was 10 minutes from sale To on the wire soul. So let's look at how botnets affect corporations We've we've looked at that they exist that they're logging data. You have one that you can go play with You can evaluate everything that I've said you can use it or you can take it down if you can But let's look at how they operate and how they affect companies Being a San Francisco corporation. We went through a bunch of companies names That were in our database. They were also in the 9-5 or 9-4 area codes And this was a list of some of the companies that that we identified that we have some information on We're gonna drill down in three or four of these real quick and see what they've got but you all should recognize some of these companies, they're not small and Some of them get unhappy when they get their names on the screen So if you see yours ask politely, I'll take it off. There's plenty other companies to put on here First one's HP A lot of people want to know is Silicon Valley compromised a lot of computers out there a lot of big companies that run e-commerce HP isn't a commerce company That I would classify as but we looked at a hundred and forty unique IP addresses that were under HP's network space Many of them were outbound mail servers We run a pretty large spam trap and we identified a fair amount of their marketing mail in our spam trap but we also found a fair amount of information of hosts that were claiming to be Starwood hotels or Geo cities Or carpet blessed on info we said those aren't HP's hosts, but they're coming from HP's network That can't be good. Why are they sending us this mail? Why is it landing in our spam trap? Charles Schwab another financial organization but this is a company that you can point to and say these people are doing a good job they have a bit of marketing mail that We've been able to identify but We haven't been able to identify any bots Pretty good. It's important to point out when people are doing a good job Lucasfilm this was interesting because they've been flat-lined for a really long time And then one day one day they sent out a whole bunch of stuff Maybe somebody brought in a compromised laptop put it on the the vendor area network or One of these networks where you segment your guests Which we've seen It was all phishing and and and spam vertisements and it was fixed within 24 hours and they've been flat-lined never since So that's good. We can detect when these things are happening and we can tell when they are So this was the fun one Chevron, Texaco They're consistently in our traps But what's in our traps? It's not marketing information It's spam vertized adult material and this is an indication. This is a symptom of the disease It's chronic and persistent. It's been there for a long time and we can show that it happens at regular intervals And we're also going to go down and look at who derived information or who derived some value from this What's the value chain of the spam or adult material that was disseminated using Chevron, Texaco's IP address reputation and Before we do that. I just I have to show you what they were delivering Something natural and safe. Certainly. I'm sure many of you have seen this before maybe not This is what the corporate network was being leveraged by a third party to deliver to other mailboxes Size does matter here So Chevron's penis enlargement problem Which was botnet spam delivered through their corporate MX Spamvertized the link that traversed three web servers with 302 moved the domains were hosted across three registrars with three different identities There were obviously faults With the hosting services running from the USA Germany Russia China and the final web server that was advertising that wonderful little piece about enlargement was in China and I don't expect Chevron to have the capabilities to go and figure all that stuff out But I do expect that they have the capability to keep it from emanating from their network So let's go back up and look at the global scope and some trends and statistics About the larger internet We've seen that the botnets exist their key logging that we can identify some of those by the Abuse how they send it out or abuse other networks And now we're going to look at what the whole world looks like and this is 100 million 101 million events that we received over six months It's turned out to be roughly 48 million unique IPv4 addresses It's been 12,000 of The 22,000 routed ASN's so for those of you that have network clue the next part It's really about the global internet one of the big numbers that we want to Flag that I want to put in the ground or a stake is 267,000 that I know about knew a day So we looked at the ASN's and and we said what number of ASN's do we have? that That have a malicious activity that we can identify and this is a very granular The amount of address space routed by ASN's is vastly different, but it's a it's a it's a Very broad brush that I'm painting with here 55% of the ASN's that we looked at I could identify something on 48% appeared clean Now My my business partner Steads he asked me says well how much of the how much of the routed address space is that? Because just looking at the ASN's is a really broad way of reviewing this So if we look at how much address space is actually routed by these various ASN's that we have Information about compromise systems on 95% of it We can finger That's significant So then we said how can we break these things up geographically and look at them by countries and it was actually pretty hard There were there were some AS's that we couldn't look at They're they're AS's that are satellite, you know, there's no geography attached to them But from what we could do it was pretty easy and people know that China is a huge problem Here they're a quarter of it of the entire planet's worth The EU which is a whole bunch of countries which we have some separated out later the USA is number three With almost three million hosts that we're able to identify and Then it goes down from there Korea Germany France Brazil Spain Japan The ones that we couldn't classify that are mostly satellite Taiwan Poland India Italy the UK They're classified in the EU. Sorry So let's look at China in that backbone everybody knows about this one This is the number of new IPs daily. I'm still wondering what the big spike is and this was for Six months So then we tried to look at the most compromised prefects is by number of events that we were able to identify and Again China in that backbone, but then they tail off pretty rapidly and this is the first I don't know 20 top 20 something like that With most of them being in the 221 slash 8 So let's bring this back to costs We've been able to see that that these things exist a certain number of them are key loggers That they're pervasive They're all over the world. They're in every country and I want to bring it back home a little bit the FTC has some statistics out there on identity theft and What I'm trying to assert here is that botnets are using key logging to perform identity theft and I need to put an economic value on that and And what that value is I'm using these numbers from the FTC from 2003 and Specifically we're looking at the misuse of existing accounts So when a botnet captures an existing account, certainly they might capture an identity That would be the new accounts and other frauds column if that identity was used to create a new account For the purposes going forward. We're just looking at the cost to businesses Of people that have accounts that exist That are being compromised Which I've shown you in the botnet drop zone in the botnet drop files You'll see here that average per victim cost to the business is $2,100 2003 average We're going to use that number Well, let me back up one more the global I'm the the the whole scope for this is $47 billion For all ID theft For businesses That number is about this next line the profit margin if We look at the profits That one can take from identity theft and let's say they have an 80% margin That would make the identity theft industry the largest most profitable business in the United States Walmart, Microsoft, Conoco, Chevron, GE, Bank of America and Exxon I'll make less than the industry of identity theft in the United States using 2003 numbers Want to do a little bit of math here? We're going to look at the number of keyloggers the average number of credit cards that a keylogger gets That puts us in the existing accounts column it gives us an average keylogger impacting Impact of $700 per month We're looking at monthly statistics which are all generated from our 30-day view of our evaluation of the botnet drop file So if we look at the bot population Times the number of keyloggers Times the percent of captured identities with existing accounts Times the cost per incident which we got from the FTC We look at new infections and I'm just going to pick on eight companies here in the United States because we're talking about numbers from the FTC Verizon AOL Comcast SBC This is new infections per month from our Infection data, and we're looking at 120,000 new infections from Verizon a month Let's look at the economic impact on the businesses that those infected computers are Having on American business This is losses per month estimated from new infections of botnets For just that one column on the FTC report. We're looking at 90 million dollars Per month from Verizon Does that number bother anyone? SBC AT&T in bell south of really one company you could aggregate those and it would be another 50 Million dollars per month the smallest one on here you you net comes in at ten million dollars as impact US businesses per month because of the compromised systems on Their network. I'm not saying that these companies are losing this money I'm saying it's these companies customers are losing this much money from business If we look at annual estimated losses It's almost two billion dollars annually using 2003 estimates and current infection rates This is worrisome if if you could convince these eight companies To somehow help Their customers clean up their systems. It would save American businesses two billion dollars or four percent of The 2003 estimated identity theft problem So let's go back to the economic theory of abuse. Our idea is that we need to make botnets botnets Harder to deploy so that they cost more money. So it's more difficult and That the revenue derived from them Is less But right now what I'm saying is that incentive is around two billion dollars a year For botnet operators to deploy more stuff That's what our fight is What do we do about it? We we're working on detection Hopefully we can tell you who is compromised. We got to do something about remediation or it's never gonna end and Then we finally we have to protect them and until we do they're compromised and they're People are losing their identities their credit cards. We're gonna receive more spam We're gonna get more click fraud and it's not gonna stop Detecting them is just the beginning of trying to solve this problem We have to do something about remediation and we have to do something about protection We have to protect them somehow The thing that really pisses me off is that they're real people at the end of it You guys might be able to protect yourself pretty well But those people are so pissed When they find out that all the shit that's really important to them Somebody else knows and that somebody else just told them a whole bunch of people in Romania know about it And they got a big headache and they're just average people. They don't know how to fix their computer They don't know what this stuff means and all of the things that are really important to them That they thought were private Are now owned by somebody else and you can't get another social security number and that's what pisses me off And I want somebody to help It doesn't look like many people are concerned The economic incentives are in favor of the criminals and it's in the tune of billions of dollars That's not new news, but eight companies could change the world for a lot of Americans Hopefully that is news That the levers are ISPs credit card companies and credit bureaus And that spam is just a symptom of the disease That if we have some and it appears that we do some tools to use To prevent or at least to understand who's compromised that we can then focus on Notification and then on remediation If we don't fix these computers It's gonna take our internet away. It's gonna take the trust of the people away and We might still have jobs, but we might not have a network. That's really gonna be leveraged for the people It's gonna be leveraged for the criminals I got to thank a number of people that helped me aggregate information Help our company Without them, we wouldn't be able to bring you these kinds of things Without them, we wouldn't be able to operate Spam house your IBL SURBL the other RBL mirrors that provide us data we leverage To help you understand Which ones are on? Paul Vixie the woodcock for their donations and access to BGP feeds which helps us understand where on the network you are and Everyone else is David Ulivec had opened DNS who gave us a whole bunch of hardware so we could churn numbers Randy by us at Neo tactics for giving us a bunch of hardware so that we could capture spam Aaron Hoover who put together a little demo that I'll give during the Q&A For doing geo IP mapping tool real real-time botnet visualization There's some tools one of them. I make Adam waters. There's also my partner who you can ask. I don't know where he is, but he's around is Is somebody that helped me put this together one of our tools will help you if you're a network operator Understand which hosts are compromised on your network Microsoft makes a tool at post to master dot MSN comm Slash SNDS for understanding if your network has sent them spam. It'll let you Inspect that look at evidence Also, yahoo is building something, but they didn't have a URL for me. So Questions we'll take them at the microphone Estimate the 260 just second let them you can repeat the question two hundred sixty seven thousand per day how you estimate that Pat was asking how we estimated the two hundred and sixty thousand infections per day. We merely took the number of unique Infections that we had seen over the time that we had seen it. It's just an average Can you quantify the source of the Protection efforts on the question is can I quantify the number of home users that might be infected versus corporate users? And that's a very good question I don't have numbers that I could I could certainly do that and and put it someplace But I didn't do it for this presentation and I haven't and one of the reasons that that's difficult to do on a block level is Because of ISPs and network service providers There's a certain amount of granularity That you can identify which blocks or which AS is are of various Categories and there's been some excellent work done at the AS level to understand which which AS is are of military or government educational Network service provider or commercial Good points. Do you have anyone that we can point to that could show us that? It was it was a statement which the microphone is not working and it's difficult for me to regurgitate his statement Sorry Amen. Yes, there we go. So With 95% of ASN's dirty Leads me to a question sort of follows up our conversation at the bar the other night What do you see as the future value or even the present value of Internet reputation systems when Almost everybody is infected. I see the value of internet reputation is With if if everybody's infected if if one out of five computers are infected What is the value of of reputation? It's important for you to not have it stolen. I Think if the value is going to increase on reputation Then we really have to do work to ensure that the reputation is actually intact When you're evaluating it whether it's being stolen because you have a network or a computing platform Operating on your network that you don't own i.e. a botnet that's delivering mail through your corporate mx Advocating penile enlargement That's essentially stealing a reputation of an IP space if you have a Block that's routed that has been compromised by or through the BGP That's not something that a company can even notice I Think that if We have one out of five computers that's compromised. We're going to see more of this We're going to see more spam from corporate identities that have a high reputation and the same Worry exists for the BGP so Those that have good reputations now or reputations that are asserted to be good Should be more concerned than Those that don't Yes, sir. Yeah in 2004 Over a three-month period. I developed some prototype software That is very aggressive in reporting spam as a result. I've done some amazing amount of Analysis and I've come to the conclusion that about I'd say 30 to 40 percent You get an IP address. You've got to find out who that IP address belongs to you have to rely on Aaron Aria ion apnick lapnik and all these other IP block Organizers whoever they are and a lot of times I find that the eye that the abuse email is bogus and I always try to like Try to like advocate some type of effort on the part of apnick to or on the part of the Yeah, apnick or whatever it is to To get their databases up upgrade it what kind of effort is being done to make a to make it easier to track these Hostile activities down and that's Something that I think everybody should address Maybe Paul can help us with this Hi, I'm I'm on the board of trustees for Aaron and I'm not speaking for Aaron here But I'll tell you some of the difficulties with getting that database cleaned up apnick ripe Aaron lacknick They are all membership organizations and so the staff comes to these organizations either because it's a good resume builder Or it's a paycheck nine to five job or they're passionate about it or whatever it is but ultimately they can only do what the members will agree to and it turns out that the The the rest of the community thinks that having a good who is service with accurate abuse contacts is a good thing But the network Operators don't really get a lot of value from that if you're you unit and you make it possible For the community to tell you that you have spammers on your network You're going to be spending a lot of time reading the same reports over and over again that are telling you something you probably already knew and The in the best case you you net loses money when they cancel the Subscription for the spamming customer, so we're asking them to spend money in order to lose money and and until we can remove the asymmetry of This person spends money and that person make makes more money as a result You're not going to see any incentive for the members of these RIRs to tell the staff or tell the board in my case We want this done It's it's it's sad. It is it pisses me off, too This happens to be a hot button, which is why I grabbed the microphone away from Rick This is something I have been pushing for But even being on the board of trustees for Aaron does not give me sort of magical powers to improve that database We're to ask the members to ask us to to improve that database five minutes Rick Any other questions? What's going on here on the screen is a little demo of What happened on Wednesday February 8th at 5 p.m. It I just have the United States here and it's essentially just Drawing dots on a map for every time we see some abuse You can hover over them and then it'll tell you where it came from IP address the reason for it. It's a little tool. We have our visualization I figured that if I'd done it over the internet, I would have been owned by now So I didn't want to do that on stage. You have a question, sir one of the problems is You know, you got two different Issues here. You got the issues of the infected machines that are sending out the spam But you also have the command and control center now as far as the command and control center If you try to attack that one of the biggest problems I've seen is that it takes a huge amount of effort to actually get a CNC shut down But Since they still own the Domain name. It's fairly easy for them to bring it back up usually within less than a month So how would you address that situation? Well, I was going to show you See if yopse was up All right, so how would I address the situation where domains can take them out? whack-a-mole If you're trying to whack-a-mole. It's a big problem solution my Attack is economic I want to I want to find a way to remove the incentive to change the Economics of the situation so that it is vastly more difficult to deploy a successful botnet and vast mean less Revenue can be derived from it. We're not going to win until the incentive has been changed Until the economic incentive has been changed. So I'm not saying let's take out command and control servers I gave you one. It's still up. I nobody came to claim the beer. So it's going to be mine um, I Thought these guys were serious hackers is still there It's not owned. It's The whack-a-mole isn't going to solve our problem. We have to change the economic incentive I know that it makes people feel better and and It's an instant relief to see it taken out and lots of people work on taking them out I agree That taking them out might not be The best way to solve the problem long term I think it's a it's a short-term activity to in that makes it cost more to deploy them It makes it so you can drive less revenue. I think So that answer your question. I think by taking out the incentive to deploy the botnets on the people's computers and that's done by remediation on the nodes that are compromised and Detection remediation and then prevention. I believe that's one way But I think my time is up. So I thank you and have a good day