Slashdot Mirror

← Back to Stories (view on slashdot.org)

Botnet Expert Wants 'Special Ops' Security Teams

Posted by timothy on from the if-wishes-were-horses dept.

CWmike writes "Criminal cybergangs must be harried, hounded and hunted until they're driven out of business, a noted botnet researcher said as he prepared to pitch a new anti-malware strategy at the RSA Conference in SF. 'We need a new approach to fighting cybercrime,' said Joe Stewart, director of SecureWorks' counterthreat unit. 'What we're doing now is not making a significant dent.' He said teams of paid security researchers should set up like a police department's major crimes unit or a military special operations team, perhaps infiltrating the botnet group and employing a spectrum of disruptive tactics. Stewart cited last November's takedown of McColo as one success story. Another is the Conficker Working Group. 'Criminals are operating with the same risk-effort-reward model of legitimate businesses,' said Stewart. 'If we really want to dissuade them, we have to attack all three of those. Only then can we disrupt their business.'"

30 of 115 comments (clear)

  1. A more simple solution... by the4thdimension · · Score: 3, Insightful

    Teach users to be safe on the internet and not download any old thing that pops up on the screen... seems cheaper and easier than waging an all out witch hunt on botnet admins.

    --
    Crackin' Wise - Blogging about whatever we want
    1. Re:A more simple solution... by emocomputerjock · · Score: 4, Insightful

      This still doesn't address drive by exploits, XSS, SQL injections, or any number of other threats. That being said, vigilantism isn't the approach either. You have to get countries and governments on board, with treaties signed and all that jazz.

    2. Re:A more simple solution... by guyminuslife · · Score: 5, Funny

      We get Dick Cheney to run the computer security task force, give him no oversight and a redacted budget. Then tell him there's oil in the Internet.

      I guarantee, all your regulatory problems will mysteriously vanish, just like all of the(*)#(*)@R_ *CARRIER LOST*

      --
      I don't believe in time. It's a grand conspiracy designed to sell watches.
    3. Re:A more simple solution... by pzs · · Score: 5, Insightful

      Any solution that relies on people not being lazy morons is never going to work.

    4. Re:A more simple solution... by mrboyd · · Score: 2, Insightful

      Why calling it a witch hunt? Police force and army should gear up and have some kind of internet swat team as more and more crimes are committed online. I don't see why sometime a team of "security researcher", white hat or iSwat (however you want to call them) working under a police mandate couldn't be allowed to "raid" a computer, place rootkits, keyloggers and whatnot if they have the proper warrant. Just like they could bug your phone or search your house, car, financial records with again the proper warrant. Just because it's the internet doesn't mean it has to be out of the scope of law enforcement.

    5. Re:A more simple solution... by Dan541 · · Score: 2, Interesting

      Problem is there arn't any innocent people to sue for infringements so the government wont give it a high priority.

      --
      An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
    6. Re:A more simple solution... by DriedClexler · · Score: 2, Funny

      This still doesn't address drive by exploits, XSS, SQL injections,

      True, but I think we could take care of the last one by prohibiting people from taking any legal name that includes the string "); Drop Table"

      --
      Information theory is life. The rest is just the KL divergence.
    7. Re:A more simple solution... by emocomputerjock · · Score: 2, Insightful

      I argue differently. SQL injections, XSS attacks, and drive-by exploits are every bit a part of the botnet problem. Firstly, malware needs a place to exist. This is not only on domains stood up with the express purpose of hosting said malware, but on legitimate compromised webservers. Secondly, malware and botnet coders are coming up with as many possible exploits that do not involve user interaction through javascript, browser exploits, and unpatched security vulnerabilities. For the remainder there are intensely sophisticated attacks relying on social engineering and reputation hijacking. It's a lot easier to run code on users machine when the webserver is one the user already trusts and has set in a trusted security zone. The solution to this problem is going to require multinational political agreement. The problem with that is not only is it work, but the countries the criminals reside in have little to no incentive to cooperate. These countries are often poor and have a base of computer science and programming majors with low-paying or no jobs who commit computer crime for the income. It may not be legal, but those people are at least making and spending money making it a heck of a lot more difficult to enlist the host countries help in apprehending them.

  2. Finally! by mc1138 · · Score: 4, Funny

    A bunch of fat, cheetos eating super hero's I can identify with!

    --
    The musings of just another geek and his junk.
  3. ISPs by orange47 · · Score: 3, Interesting

    they need cooperation of ISPs. If only ISPs worldwide would at least send warning to customers that run 'zombie machines'.

    1. Re:ISPs by Culture20 · · Score: 4, Interesting

      If they start doing that, then botnet writers will have an incentive to have their rootkits start deleting emails (when a common email program loads up). I don't think they'll be that choosy about what they delete either.

    2. Re:ISPs by new_breed · · Score: 2, Interesting

      What better warning to a user that his/her machine is infected than email suddenly dissappearing?

    3. Re:ISPs by hesaigo999ca · · Score: 2, Insightful

      Not if they charge per email sent... like .0001 cent...still adds up enough to let someone know they are infected, and with a cap at 100$ month, this will avoid a user falling off his chair, but make it sure evident to do something about it before next month.

      As for the culprits, 100$ per month for spamming, might not be much, but then you have a paper trail of which could be used to track activity for perticular botnets.

    4. Re:ISPs by JerkBoB · · Score: 4, Insightful

      If they start doing that, then botnet writers will have an incentive to have their rootkits start deleting emails (when a common email program loads up). I don't think they'll be that choosy about what they delete either.

      Sending warning emails to users is a pointless exercise. Assuming that they read/understand the email in the first place (BIG assumption), I guarantee that the majority of them will just delete it. Why should they care if their computer's a zombie? It still works well enough to do whatever it is they're online to do.

      No, I think the solution is for zombied computers to be quarantined. Use DNS and routing tricks to redirect any attempts to go anywhere "on the internets" (i.e. a web browser) to a site which explains that they're quarantined, and what they have to do to get out.

      Unfortunately, that would raise call volumes to the ISP support lines, and require commitment on the ISPs' part to train their support monkeys. If ISPs started facing financial penalties for zombied users, then maybe the economics would balance out.

      I'm sure I'm not the first person to think of this, though, so I'm probably missing something.

      --
      A host is a host from coast to coast...
      Unless it's down, or slow, or fails to POST!
    5. Re:ISPs by dnaumov · · Score: 2, Insightful

      I work for a major finnish ISP and since this information is public knowledge, I am not going to anon this post.

      We have several systems (which are actually pretty good and do work) in place that identify and warn us regarding the kind of traffic that happens when a customer machine is turned into a botnet zombie. When this is deteched, the customer is approached by either email or phone and given a grace period of a couple of days to clean up his machine. If the customer ignores this, his internet connection gets locked when the grace period is up.

      If we cannot contact the customer by email/phone, we simply lock the connection, eventually the customer will call us.

      Quite obviously we also block any outgoing :25 STMP traffic to any and all servers except our own.

    6. Re:ISPs by JerkBoB · · Score: 2, Insightful

      I don't mean this in a snarky way, but given that the population of the entire country of Finland is ~5.2M folks, I can't imagine that even a "major" Finnish ISP has a huge userbase.

      I used to work for a medium-sized regional ISP. We were one of several similar-sized ISPs serving a multi-metro area of maybe 3M people. At our peak, we had 30k accounts, if I recall correctly. This was back in the dialup days, btw.

      Anyhow, my point is that when you're talking about the scale of the behemoth ISPs here in the States, expecting proactive approaches to zombie fighting is unrealistic. Support is an expensive cost center, which is why it's been farmed off to India. Getting experienced people who know how to do more than reboot the computer or reinstall ethernet/modem drivers is pretty experienced.

      It's the financial aspects of the problem which make me pessimistic that ISPs will do anything to fix it.

      --
      A host is a host from coast to coast...
      Unless it's down, or slow, or fails to POST!
  4. Nuh-uh... by pHus10n · · Score: 4, Informative

    -- Requiring ISPs to send out warnings to zombie machines would help, but I'm not sure if I'd like to give them the opportunity to use packet inspection on my connection to verify the nature of the traffic. That's a slippery slope.
    -- How does the Internet Police cross international boundaries in a legal fashion? A Status of Forces Agreement, perhaps? Would England really like Argentina (for example) to shut customers off because they're supporting a botnet?
    -- What enforcement tools would be utilized to force people to use anti-virus/malware programs? What are the consequences for the user if they choose not to? There's quite simply too many potholes for a one-nation or government solution, I think. I can't think of a country that's fixed all of their own individual problems, much less open up an Internets Po-Po division to take care of a global problem as well.

  5. McColo success story? by T5 · · Score: 4, Insightful

    I'd call that a abject failure, a speed bump at best. It was a temporary takedown that was reinstated long enough for the baddies to copy all of their goods off to another site and reset the command and control to point to that other site.

    1. Re:McColo success story? by cbiltcliffe · · Score: 2, Funny

      True, but now we know the bad guys suck at backups, too....

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
  6. Well by I)_MaLaClYpSe_(I · · Score: 5, Insightful

    If user education was going to work, it would have worked by now.

    ~ Anti-virus researcher Vesselin Bontchev

    1. Re:Well by I)_MaLaClYpSe_(I · · Score: 2, Informative
      If user education was going to work, it would have worked by now. ~ Anti-virus researcher Vesselin Bontchev

      Why the hell are quotations not shown in the preview line of comments?

      That having said, please excuse the reply to my own posting.

    2. Re:Well by ericlondaits · · Score: 2, Informative

      I've cleaned a couple of computers of malware where the owners didn't know they had malware installed... but complained that either their internet connection was slow, and blamed their new ISP. When I opened a traffic monitor and took some measurings I realized that even idle the computer was maxing the available bandwith.

      Networking is being seamlessly and transparently integrated in the computer... where I think a different approach should be taken. People need to have more direct and present feedback of processes and network connections in their computers... even if simplified, iconified, graphed or whatever. The consequences of running malware are very real at the OS level, and this should become more evident to users. ... This way people will start noticing when things go wrong, and start taking measures to keep everything OK. As long as some aspects of the computer are voodoo, it's voodoo all the way.

      --
      As a Slashdot discussion grows longer, the probability of an analogy involving cars approaches one.
  7. Idea Guy by Anonymusing · · Score: 5, Interesting

    Stewart... acknowledged he doesn't have all the answers. "I'm more of an idea guy."

    Thanks for the idea! Because nobody has thought of this before. Congrats on the ComputerWorld article, though.

    By necessity, the work would have to be done in secret, so as to not alert hackers that a group is on their trail.

    But... you just published your idea to the world.

    Stewart declined to comment on whether there were teams organized along the lines he suggests already in operation. "I don't want to comment on ones that have or have not started," he said.

    So... this may or may not be your own original idea, because there may or may not be teams like this already in existence?

    --
    Liberal? Conservative? Compare perspectives at Left-Right
  8. Track, infiltrate, disrupt by AHuxley · · Score: 3, Insightful

    When the researchers came for the malware authors,
    I remained silent;
    I was not a malware author.
    Then they locked down the adult sites,
    I remained silent;
    I was not a pervert.
    Then they came for the bittorrent trackers,
    I did not speak out;
    I was not a pirate.
    Then they came for the internet,
    I did not speak out;
    I was not a blogger.
    When they came for me,
    there was no where left to speak out.

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re:Track, infiltrate, disrupt by mapkinase · · Score: 3, Insightful

      That's sounds like a case of one of the Godwin law extensions

      --
      I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
  9. trust by Deanalator · · Score: 3, Interesting

    Most hacker groups I have seen are set up in such a way where no one needs to trust anyone else. Status is based on what you contribute to the group, so if someone doesn't contribute much, they no longer get access to the work of the collective.

    For someone to "infiltrate" a group, all they need to do is contribute to the work being done, and I highly doubt IRC logs will be very admissible as evidence.

    My point is, if someone is going to get to the level where they can put anyone of any importance in jail, they are first going to need to contribute a significant amount to the underground community, which would probably cause more problems than it would solve.

  10. Cut of their funding by onyxruby · · Score: 2, Informative

    If you really want to make an impact you need to target their source of funds. Getting Visa and Mastercard to get very proactive about shutting down their funding source would do far more than any threat of arrest ever will. These criminal rings do these things (spam, bogus software etc) because they are easy source of money. Visa and Mastercard are so slow in shutting down illicit sites that the time it takes allows them to make a handsome profit.

    Easy low cost way to do this.
    1. Allow the public at large to easily report suspected fraud to a centralized web site.
    2. Assign investigators from the credit card companies to monitor the site and check out reported fraud reports.
    3. Have the finance investigators work with requisite police agencies world wide.

    Until you shut off the easy finance spigot these will continue to proliferate. Let's face it, does it really take a prolonged investigation to see if AntiVirus 2009 or the latest penile enhancement pill just might be bogus? Right now the criminals act with impunity because it is profitable, and the credit card companies have a laissez affaire attitude because they also make money. You need to convince the credit card companies to be more willing to forgo their fees and do their part.

  11. Re:Or just get used to it. by Anonymusing · · Score: 3, Insightful

    There is no crime if nobody got hurt in the real life. There is (or should not be) any such thing as cyber-murder, cyber-theft, cyber-kidnapping etc, simply because everything that's "cyber" is "information", and information, by definition cannot be murdered, stolen or kidnapped.

    Are you serious?

    This isn't about virtual murder. It's about botnets that may steal your credit card information, be directed to launch attacks against servers, etc. There is significant potential for financial harm. Suppose your credit lines were maxed out by someone else, rendering your payments late, and then your bank got DoS'd so you couldn't access your money? What if you lived in Estonia, whose governmentand banks were essentially shut down during a massive cyberattack?

    --
    Liberal? Conservative? Compare perspectives at Left-Right
  12. ISPs? What the hell happened to slashdot? by tacokill · · Score: 4, Insightful

    There are several posts advocating larger ISP involvement and nobody has mentioned the obvious slippery slope with ISP's being put into a "policing" role.

    If ISPs are allowed to "track down" botnets and botnet zombies, then why can't they "track down" torrents? Or porn? or any other thing that the powers-that-be don't want you downloading? Am I the only one who sees major problems with ISP's being put in a watchdog role?

    I can't believe nobody has brought this up. Am I in the right place? Is this slashdot?

  13. Attack Vector? by Ukab+the+Great · · Score: 3, Informative

    Googling for conficker gave me wikipedia's entry

    http://en.wikipedia.org/wiki/Conficker

    Looking through conficker's entry gave me the vector MS08-067

    Googling for the vector gave me this article

    http://www.phreedom.org/blog/2008/decompiling-ms08-067/

    Is it that win32 lack a high-quality, well-tested, easily reusable path class, or is it that microsoft is such a large company that a rogue programmer circumventing the approved safe path class and engaging in not-invented-here-roll-your-own antics is commonplace?