Botnet Expert Wants 'Special Ops' Security Teams 115
CWmike writes "Criminal cybergangs must be harried, hounded and hunted until they're driven out of business, a noted botnet researcher said as he prepared to pitch a new anti-malware strategy at the RSA Conference in SF. 'We need a new approach to fighting cybercrime,' said Joe Stewart, director of SecureWorks' counterthreat unit. 'What we're doing now is not making a significant dent.' He said teams of paid security researchers should set up like a police department's major crimes unit or a military special operations team, perhaps infiltrating the botnet group and employing a spectrum of disruptive tactics. Stewart cited last November's takedown of McColo as one success story. Another is the Conficker Working Group. 'Criminals are operating with the same risk-effort-reward model of legitimate businesses,' said Stewart. 'If we really want to dissuade them, we have to attack all three of those. Only then can we disrupt their business.'"
Nuh-uh... (Score:4, Informative)
-- How does the Internet Police cross international boundaries in a legal fashion? A Status of Forces Agreement, perhaps? Would England really like Argentina (for example) to shut customers off because they're supporting a botnet?
-- What enforcement tools would be utilized to force people to use anti-virus/malware programs? What are the consequences for the user if they choose not to? There's quite simply too many potholes for a one-nation or government solution, I think. I can't think of a country that's fixed all of their own individual problems, much less open up an Internets Po-Po division to take care of a global problem as well.
Re:Well (Score:3, Informative)
Why the hell are quotations not shown in the preview line of comments?
That having said, please excuse the reply to my own posting.
Cut of their funding (Score:3, Informative)
If you really want to make an impact you need to target their source of funds. Getting Visa and Mastercard to get very proactive about shutting down their funding source would do far more than any threat of arrest ever will. These criminal rings do these things (spam, bogus software etc) because they are easy source of money. Visa and Mastercard are so slow in shutting down illicit sites that the time it takes allows them to make a handsome profit.
Easy low cost way to do this.
1. Allow the public at large to easily report suspected fraud to a centralized web site.
2. Assign investigators from the credit card companies to monitor the site and check out reported fraud reports.
3. Have the finance investigators work with requisite police agencies world wide.
Until you shut off the easy finance spigot these will continue to proliferate. Let's face it, does it really take a prolonged investigation to see if AntiVirus 2009 or the latest penile enhancement pill just might be bogus? Right now the criminals act with impunity because it is profitable, and the credit card companies have a laissez affaire attitude because they also make money. You need to convince the credit card companies to be more willing to forgo their fees and do their part.
Re:ISPs (Score:2, Informative)
Why should they care if their computer's a zombie? It still works well enough to do whatever it is they're online to do.
In my experience, it's worse than that. It's not that they don't care. They don't even believe it.
"My computer works fine. It can't be infected. I have Norton 2003 that came with the computer, so I'm fine. It's maybe a little slow, but that's because it's getting old and wearing out. I'M NOT INFECTED!I'MNOTINFECTED!I'MNOTINFECTED!LALALALALA"
Attack Vector? (Score:4, Informative)
Googling for conficker gave me wikipedia's entry
http://en.wikipedia.org/wiki/Conficker
Looking through conficker's entry gave me the vector MS08-067
Googling for the vector gave me this article
http://www.phreedom.org/blog/2008/decompiling-ms08-067/
Is it that win32 lack a high-quality, well-tested, easily reusable path class, or is it that microsoft is such a large company that a rogue programmer circumventing the approved safe path class and engaging in not-invented-here-roll-your-own antics is commonplace?
Re:Well (Score:3, Informative)
I've cleaned a couple of computers of malware where the owners didn't know they had malware installed... but complained that either their internet connection was slow, and blamed their new ISP. When I opened a traffic monitor and took some measurings I realized that even idle the computer was maxing the available bandwith.
Networking is being seamlessly and transparently integrated in the computer... where I think a different approach should be taken. People need to have more direct and present feedback of processes and network connections in their computers... even if simplified, iconified, graphed or whatever. The consequences of running malware are very real at the OS level, and this should become more evident to users. ... This way people will start noticing when things go wrong, and start taking measures to keep everything OK. As long as some aspects of the computer are voodoo, it's voodoo all the way.