Botnet Expert Wants 'Special Ops' Security Teams 115
CWmike writes "Criminal cybergangs must be harried, hounded and hunted until they're driven out of business, a noted botnet researcher said as he prepared to pitch a new anti-malware strategy at the RSA Conference in SF. 'We need a new approach to fighting cybercrime,' said Joe Stewart, director of SecureWorks' counterthreat unit. 'What we're doing now is not making a significant dent.' He said teams of paid security researchers should set up like a police department's major crimes unit or a military special operations team, perhaps infiltrating the botnet group and employing a spectrum of disruptive tactics. Stewart cited last November's takedown of McColo as one success story. Another is the Conficker Working Group. 'Criminals are operating with the same risk-effort-reward model of legitimate businesses,' said Stewart. 'If we really want to dissuade them, we have to attack all three of those. Only then can we disrupt their business.'"
A more simple solution... (Score:3, Insightful)
Re:A more simple solution... (Score:4, Insightful)
McColo success story? (Score:5, Insightful)
I'd call that a abject failure, a speed bump at best. It was a temporary takedown that was reinstated long enough for the baddies to copy all of their goods off to another site and reset the command and control to point to that other site.
How about... (Score:0, Insightful)
How about building secure systems?
Swat one fly, ten arrive to feed.
Swat ten flies, a hundred arrive instead.
Remove the food, and no flies arrive.
Well (Score:5, Insightful)
If user education was going to work, it would have worked by now.
~ Anti-virus researcher Vesselin Bontchev
Re:A more simple solution... (Score:5, Insightful)
Any solution that relies on people not being lazy morons is never going to work.
Track, infiltrate, disrupt (Score:4, Insightful)
I remained silent;
I was not a malware author.
Then they locked down the adult sites,
I remained silent;
I was not a pervert.
Then they came for the bittorrent trackers,
I did not speak out;
I was not a pirate.
Then they came for the internet,
I did not speak out;
I was not a blogger.
When they came for me,
there was no where left to speak out.
Re:ISPs (Score:3, Insightful)
Not if they charge per email sent... like .0001 cent...still adds up enough to let someone know they are infected, and with a cap at 100$ month, this will avoid a user falling off his chair, but make it sure evident to do something about it before next month.
As for the culprits, 100$ per month for spamming, might not be much, but then you have a paper trail of which could be used to track activity for perticular botnets.
Re:ISPs (Score:5, Insightful)
If they start doing that, then botnet writers will have an incentive to have their rootkits start deleting emails (when a common email program loads up). I don't think they'll be that choosy about what they delete either.
Sending warning emails to users is a pointless exercise. Assuming that they read/understand the email in the first place (BIG assumption), I guarantee that the majority of them will just delete it. Why should they care if their computer's a zombie? It still works well enough to do whatever it is they're online to do.
No, I think the solution is for zombied computers to be quarantined. Use DNS and routing tricks to redirect any attempts to go anywhere "on the internets" (i.e. a web browser) to a site which explains that they're quarantined, and what they have to do to get out.
Unfortunately, that would raise call volumes to the ISP support lines, and require commitment on the ISPs' part to train their support monkeys. If ISPs started facing financial penalties for zombied users, then maybe the economics would balance out.
I'm sure I'm not the first person to think of this, though, so I'm probably missing something.
Re:A more simple solution... (Score:3, Insightful)
Re:Or just get used to it. (Score:4, Insightful)
There is no crime if nobody got hurt in the real life. There is (or should not be) any such thing as cyber-murder, cyber-theft, cyber-kidnapping etc, simply because everything that's "cyber" is "information", and information, by definition cannot be murdered, stolen or kidnapped.
Are you serious?
This isn't about virtual murder. It's about botnets that may steal your credit card information, be directed to launch attacks against servers, etc. There is significant potential for financial harm. Suppose your credit lines were maxed out by someone else, rendering your payments late, and then your bank got DoS'd so you couldn't access your money? What if you lived in Estonia, whose governmentand banks were essentially shut down during a massive cyberattack?
ISPs? What the hell happened to slashdot? (Score:5, Insightful)
If ISPs are allowed to "track down" botnets and botnet zombies, then why can't they "track down" torrents? Or porn? or any other thing that the powers-that-be don't want you downloading? Am I the only one who sees major problems with ISP's being put in a watchdog role?
I can't believe nobody has brought this up. Am I in the right place? Is this slashdot?
Re:Track, infiltrate, disrupt (Score:3, Insightful)
That's sounds like a case of one of the Godwin law extensions
Re:ISPs (Score:3, Insightful)
I work for a major finnish ISP and since this information is public knowledge, I am not going to anon this post.
We have several systems (which are actually pretty good and do work) in place that identify and warn us regarding the kind of traffic that happens when a customer machine is turned into a botnet zombie. When this is deteched, the customer is approached by either email or phone and given a grace period of a couple of days to clean up his machine. If the customer ignores this, his internet connection gets locked when the grace period is up.
If we cannot contact the customer by email/phone, we simply lock the connection, eventually the customer will call us.
Quite obviously we also block any outgoing :25 STMP traffic to any and all servers except our own.
Re:ISPs (Score:3, Insightful)
I don't mean this in a snarky way, but given that the population of the entire country of Finland is ~5.2M folks, I can't imagine that even a "major" Finnish ISP has a huge userbase.
I used to work for a medium-sized regional ISP. We were one of several similar-sized ISPs serving a multi-metro area of maybe 3M people. At our peak, we had 30k accounts, if I recall correctly. This was back in the dialup days, btw.
Anyhow, my point is that when you're talking about the scale of the behemoth ISPs here in the States, expecting proactive approaches to zombie fighting is unrealistic. Support is an expensive cost center, which is why it's been farmed off to India. Getting experienced people who know how to do more than reboot the computer or reinstall ethernet/modem drivers is pretty experienced.
It's the financial aspects of the problem which make me pessimistic that ISPs will do anything to fix it.
Re:A more simple solution... (Score:2, Insightful)