Slashdot Mirror

← Back to Stories (view on slashdot.org)

Botnet Expert Wants 'Special Ops' Security Teams

Posted by timothy on from the if-wishes-were-horses dept.

CWmike writes "Criminal cybergangs must be harried, hounded and hunted until they're driven out of business, a noted botnet researcher said as he prepared to pitch a new anti-malware strategy at the RSA Conference in SF. 'We need a new approach to fighting cybercrime,' said Joe Stewart, director of SecureWorks' counterthreat unit. 'What we're doing now is not making a significant dent.' He said teams of paid security researchers should set up like a police department's major crimes unit or a military special operations team, perhaps infiltrating the botnet group and employing a spectrum of disruptive tactics. Stewart cited last November's takedown of McColo as one success story. Another is the Conficker Working Group. 'Criminals are operating with the same risk-effort-reward model of legitimate businesses,' said Stewart. 'If we really want to dissuade them, we have to attack all three of those. Only then can we disrupt their business.'"

6 of 115 comments (clear)

  1. Re:A more simple solution... by emocomputerjock · · Score: 4, Insightful

    This still doesn't address drive by exploits, XSS, SQL injections, or any number of other threats. That being said, vigilantism isn't the approach either. You have to get countries and governments on board, with treaties signed and all that jazz.

  2. McColo success story? by T5 · · Score: 4, Insightful

    I'd call that a abject failure, a speed bump at best. It was a temporary takedown that was reinstated long enough for the baddies to copy all of their goods off to another site and reset the command and control to point to that other site.

  3. Well by I)_MaLaClYpSe_(I · · Score: 5, Insightful

    If user education was going to work, it would have worked by now.

    ~ Anti-virus researcher Vesselin Bontchev

  4. Re:A more simple solution... by pzs · · Score: 5, Insightful

    Any solution that relies on people not being lazy morons is never going to work.

  5. Re:ISPs by JerkBoB · · Score: 4, Insightful

    If they start doing that, then botnet writers will have an incentive to have their rootkits start deleting emails (when a common email program loads up). I don't think they'll be that choosy about what they delete either.

    Sending warning emails to users is a pointless exercise. Assuming that they read/understand the email in the first place (BIG assumption), I guarantee that the majority of them will just delete it. Why should they care if their computer's a zombie? It still works well enough to do whatever it is they're online to do.

    No, I think the solution is for zombied computers to be quarantined. Use DNS and routing tricks to redirect any attempts to go anywhere "on the internets" (i.e. a web browser) to a site which explains that they're quarantined, and what they have to do to get out.

    Unfortunately, that would raise call volumes to the ISP support lines, and require commitment on the ISPs' part to train their support monkeys. If ISPs started facing financial penalties for zombied users, then maybe the economics would balance out.

    I'm sure I'm not the first person to think of this, though, so I'm probably missing something.

    --
    A host is a host from coast to coast...
    Unless it's down, or slow, or fails to POST!
  6. ISPs? What the hell happened to slashdot? by tacokill · · Score: 4, Insightful

    There are several posts advocating larger ISP involvement and nobody has mentioned the obvious slippery slope with ISP's being put into a "policing" role.

    If ISPs are allowed to "track down" botnets and botnet zombies, then why can't they "track down" torrents? Or porn? or any other thing that the powers-that-be don't want you downloading? Am I the only one who sees major problems with ISP's being put in a watchdog role?

    I can't believe nobody has brought this up. Am I in the right place? Is this slashdot?