Botnet Expert Wants 'Special Ops' Security Teams

CWmike writes "Criminal cybergangs must be harried, hounded and hunted until they're driven out of business, a noted botnet researcher said as he prepared to pitch a new anti-malware strategy at the RSA Conference in SF. 'We need a new approach to fighting cybercrime,' said Joe Stewart, director of SecureWorks' counterthreat unit. 'What we're doing now is not making a significant dent.' He said teams of paid security researchers should set up like a police department's major crimes unit or a military special operations team, perhaps infiltrating the botnet group and employing a spectrum of disruptive tactics. Stewart cited last November's takedown of McColo as one success story. Another is the Conficker Working Group. 'Criminals are operating with the same risk-effort-reward model of legitimate businesses,' said Stewart. 'If we really want to dissuade them, we have to attack all three of those. Only then can we disrupt their business.'"

ISPs

[orange47]

they need cooperation of ISPs. If only ISPs worldwide would at least send warning to customers that run 'zombie machines'.

Re:ISPs

[Culture20]

If they start doing that, then botnet writers will have an incentive to have their rootkits start deleting emails (when a common email program loads up). I don't think they'll be that choosy about what they delete either.

Idea Guy

[Anonymusing]

Stewart... acknowledged he doesn't have all the answers. "I'm more of an idea guy."

Thanks for the idea! Because nobody has thought of this before [networkworld.com]. Congrats on the ComputerWorld article, though.

By necessity, the work would have to be done in secret, so as to not alert hackers that a group is on their trail.

But... you just published your idea to the world.

Stewart declined to comment on whether there were teams organized along the lines he suggests already in operation. "I don't want to comment on ones that have or have not started," he said.

So... this may or may not be your own original idea, because there may or may not be teams like this already in existence?

Re:ISPs

[new_breed]

What better warning to a user that his/her machine is infected than email suddenly dissappearing?

trust

[Deanalator]

Most hacker groups I have seen are set up in such a way where no one needs to trust anyone else. Status is based on what you contribute to the group, so if someone doesn't contribute much, they no longer get access to the work of the collective.

For someone to "infiltrate" a group, all they need to do is contribute to the work being done, and I highly doubt IRC logs will be very admissible as evidence.

My point is, if someone is going to get to the level where they can put anyone of any importance in jail, they are first going to need to contribute a significant amount to the underground community, which would probably cause more problems than it would solve.

Re:A more simple solution...

[Dan541]

Problem is there arn't any innocent people to sue for infringements so the government wont give it a high priority.