Botnet expert suggests hitting cybercriminals in pocket book

SAN FRANCISCO--Technology is not enough to help the security industry keep botnets from stealing peoples' money and committing denial-of-service attacks, a top botnet researcher said on Wednesday. His suggestion? Stop the flow of money to their coffers.

"We need to disrupt their business model and make it hard for them to carry out their attacks and make money," Joe Stewart, a security researcher at SecureWorks, said in an interview at the RSA 2009 security conference here.

"Right now, it's risky to surf the Internet with a PC," he said. "I would like to see us return to a time when you could surf the Internet and trust that your computer wasn't going to get infected."

Computers can be infected in any number of ways, but typically they get a Trojan or other malicious program downloaded onto them without the owner's knowledge, which happens either from visiting a Web site with malicious code on it or opening malicious attachments in e-mail.

Once infected, depending on the attack, a computer can be controlled by remote attackers who are able to steal data or instruct the computer and other so-called zombies into sending spam or launching distributed denial-of-service attacks to shut down Web sites.

Researchers have focused on trying to stop attacks, but once they get a botnet operator kicked offline by shutting down its hosting provider it's usually not long before the botnet cranks back up with its command-and-control server at a different location, he said. For example, four months after a major botnet hoster, McColo, was shut down in November, the spam volumes were back up to normal levels.

Specifically, victims should be encouraged to seek reimbursement when they are charged for things like purchasing software that masquerades as a legitimate antivirus program, said Stewart, who created an ingenious eye-chart program that PC users can use to test whether their computers are infected with Conficker. The eye chart was needed because Conficker blocks access to security sites people would normally visit to check for infection.

The industry should also create teams of researchers that would focus on a single crime group or operation much like police stay on the trail of a particular real-world organized crime gang until everyone is arrested, Stewart said.

The organization would need funding, which could possibly come from the companies that seem to be impacted the most from cybercrime, like credit card processors, he said.

Law enforcement efforts are thwarted because officials in other countries where cybergangs are based often can't be convinced to cooperate, he said. Getting countries to sign a global anti-Internet abuse accord would be ideal, he said.

Meanwhile, national CERT (Computer Emergency Readiness Team) organizations should be given authority to fight botnets, by ordering Internet service providers to shut down hosting providers, Stewart said. In South Korea, for example, malicious Internet activity dropped drastically when the CERT three got teeth, he added.

Stewart is scheduled to give a presentation on his idea during a session Thursday at RSA and at an upcoming Interpol meeting.

[gertruded]

The problem is with WINDOWS PC's. Why is everyone in the media protecting Microsoft.

It is WINDOWS PC's, and only WIndows PC's!!!!

[Lerianis3]

Pwn2Own..... need I say more?

It is NOT just Windows PC's, it is MAJORITY Windows PC's (and pretty much only Windows XP PC's) because the other two (Linux and OSX) are STILL niche brands. Once they are ANYTHING over 10% of the computers in the world, we will see THEM being attacked just as much as Windows PC's.

[gertruded]

Lerianis3--Just nonsense. We have been hearing the arguments that you are repeating for many years now.

Those arguments are really just not not the point. The Point is, if you are running a Windows PC, you are at risk, If you are running another operating system you are not. That is the fact. Being the fact, why would anyone run Windows on line?

[kjam_productions]

Don't be such an idiot. Lerianis3 has it right. The overwhelming majority of PCs in the world run Windows, thus making it an attractive choice for the pimple faced ******** to go after. Just to be fair, CNET did run an article some months back where Apple made a very public statement suggesting that their users should consider an alternative firewall and antivirus for their Macs. In the real world, had Macs taking off and were on an equal platform with Windows as far as users, you would hear more about attacks on the OSX platform. Right now, it's a waste of there time and efforts to rip those people off. Frankly, I would think it would be more attractive, because apparently the MacHeads have a lot more money to burn and probably larger bank accounts.

[gertruded]

kkjam. Why do Windows and MS people always attach the other person personally when they disagree?. The fact is that if you run Windows you are at risk. If you run another operating system you are not.

The personal attacks are unacceptable and childish.

[Seaspray0]

Then perhaps you should take off the blinders and read this report from IBM...

http://news.cnet.com/8301-1009_3-10154662-83.html
The Macintosh and base Linux kernel operating systems have dominated the top spots for vulnerabilities by operating system over the past three years

[gertruded]

I will answer my own question. It is because they are all making money on the security problem with WINDOWS.

If Windows was secure they would be out of a job.

[Seaspray0]

There is no such thing as a secure operating system. That includes every operating system made today. Since you feel compelled to only attack windows in your statement, I shall provide the counterpoint...

http://news.cnet.com/8301-1009_3-10154662-83.html
The Macintosh and base Linux kernel operating systems have dominated the top spots for vulnerabilities by operating system over the past three years

[rcardona2k]

Windows?? And here I thought the problem all along was users!! Damn users getting infected.

Back in the Commodore 64 days, we used to write response programs to attacks called disk imagers. When attacked, we would send back a disk imager that secretly planted itself on the attacker's computer. At a predetermined time the disk imager formated their drive(s) without notice.

Stopped many attackers in their tracks.

Is it justified?

Is the monetary and security damage they do worth a tactic like this?

You be the judge.

[darfjono]

that's awesome.

[Lerianis3]

You do have to blame the users somewhat now. Personally, I have NEVER gotten 'infected' with a virus. I have had viruses appear on my machine, but Norton, Kaspersky and McAfee (I am testing their 'new' products) always caught the things.
In fact, I have had more problems with the same software telling me that something was 'infected' when it wasn't!

[cooperin]

Maybe we should return the favor to these thiefs and hackers by sending them an email virus that shuts down their conputers.
What's good for the goose is good for the gander.

[Lerianis3]

Little problem: we are not sure which computers are just some sap with a trojan on their computer, and which are the REAL bad guys. Once we figure that out..... I think that hacking their computers, setting up stuff to find them, and then sending a government approved 'extreme rendition' squad over to the country in question is reasonable.

[rcardona2k]

Yeah good luck with targeting the real culprits, they will use compromised machines so clueless joes will be caught in the cross-fire.

[Lerianis3]

Unfortunately, right. Most of the real 'bad guys' are only on the internet for a SECOND or less talking with the trojans, telling them what to do, and then either shut down their command program or shut down their internet connection TOTALLY!

[AG_guitarman]

Why not also block their bank accounts once they are identified? They have to have a bank account somewhere to take credit cards. If we make this expensive for the banks it will rapidly come to a halt.

AG